I was at RSA 2017 in San Francisco last week, and apart from meetings with customers, VCs and the Press, I found a large amount of relevant security news.
Out of the firehose of RSA data, I distilled the 7 urgent reasons why you need to create your “human firewall” as soon as you possibly can.
Employees are your last line of defense and need to become an additional security layer when (not if) attacks make it through all your technical filters.
1. Ransomware heads the list of deadly attacks
SANS’ Ed Skoudis said the rise in ransomware was the top threat. “We’ve seen this can bring down a whole network of file servers and we expect many more attacks”. His advice is that companies practice network security “hygiene” and limit permission for network shares to only those jobs that require it. And of course train your users within an inch of their lives.
2. Phishing leads the IRS dirty dozen of scams
The Internal Revenue Service rounded up some of the usual suspects in its annual look at the Dirty Dozen scams you need to watch out for this year. It should come as no surprise that the IRS saw a big spike in phishing and malware incidents during the 2016 tax season because the agency has been very public about its battle with this scourge.
3. CEO Fraud / W-2 Scams is their close second
Just this month the IRS issued another warning about what it called dangerous, evolving and very early W-2 scams that are targeting a widening swath of corporations, school districts and other public and private concerns. High-risk users in Accounting and HR need to be frequently exposed to simulated attacks using email, phone and text to inoculate them against these attacks.
4. Phone Scams
Your users need to be trained that when they pick up the phone, the person on the other end might be a criminal hacker that tries to manipulate them into getting access to the network. They impersonate “Tech Support” and ask for a password, or pretend to solve technical problems and compromise the workstation.
5. Your Antivirus is getting less and less effective
We all had the nagging suspicion that antivirus is not cutting it anymore, but the new Virus Bulletin numbers confirm your intuition. Virus Bulletin (VB) is the AV industry’s premier “insider site”, and shows how good/bad endpoint detection rates are, but VB also covers spam filters, and tests them on a regular basis.
Both antivirus (aka endpoint protection) and spam filter tests are published in quadrants graphing the results. What most people do not know, is that participants in this industry all share the same samples, and it’s often just a matter of who gets the definition out first, because soon enough everyone else has that malware sample and blocks the hash.
The problem? Proactive detection rates have dropped from about 80% down to 67-70% over approx 9 months.
Now you might think that if AV does not catch it, your spam filter will. Think again.
One in 200 emails with malicious attachments makes it through. That puts the potential for malware making it in your users’ inbox into the millions… every day.
6. The Internet Of Things
Your users need to understand the nature of connectedness. Both consumer and commercial devices are using wireless protocols to connect to each other and the internet, with vendors rushing products to market without proper security features.
Your employees need to be trained to change the default passwords and disable remote access. If your organization has anything to do with critical infrastructure, users need to be aware of the risks and do fire drills so they are prepared for any kind of attacks against the IoT.
7. Over-reliance On Web Services
This break down in two different flavors. First, shadow-IT where employees completely bypass the IT department and create their own storage and services: an invitation to a host of vulnerabilities and data breaches that IT cannot control. Employees need to be enlightened about the dangers of shadow-IT and understand the risks.
Second, web-apps and mobile apps are increasingly vulnerable to attacks while talking to third-party services. There’s no actual certainty that apps are connecting to the expected entity, or if a man-in-the-middle stepped in, stealing data, and possibly returning false information. This is a problem that developers need to solve with industry-strength handshaking and encryption protocols