Recently hacked? It was probably a bad link that you clicked

When a cyber security breach hits the news, those most closely involved often have incentive to play up the sophistication of the attack.

If hackers are portrayed as well-funded geniuses, victims look less vulnerable, security firms can flog their products and services, and government officials can push for tougher regulation or seek more money for cyber defenses.

But two deeply researched reports being released this week underscore the less-heralded truth: the vast majority of hacking attacks are successful because employees click on links in tainted emails, companies fail to apply available patches to known software flaws, or technicians do not configure systems properly.

These conclusions will be in the minds of executives attending the world’s largest technology security conference next week in San Francisco, a conference named after lead sponsor RSA, the security division of EMC Corp.

In the best-known annual study of data breaches, a report from Verizon Communications Inc to be released on Wednesday found that more than two-thirds of the 290 electronic espionage cases it learned about in 2014 involved phishing, the security industry’s term for trick emails.

Because so many people click on tainted links or attachments, sending phishing emails to just 10 employees will get hackers inside corporate gates 90 percent of the time, Verizon found.

“There’s an overarching pattern,” said Verizon scientist Bob Rudis. Attackers use phishing to install malware and steal credentials from employees, then they use those credentials to roam through networks and access programs and files, he said.

Verizon’s report includes its own business investigations and data from 70 other contributors, including law enforcement. It found that while major new vulnerabilities such as Heartbleed are being used by hackers within hours of their announcement, more attacks last year exploited patchable vulnerabilities dating from 2007, 2010, 2011, 2012 and 2013.

Another annual cyber report, to be released on Tuesday by Symantec Corp, found that state-sponsored spies also used phishing techniques because they work and because the less-sophisticated approach drew less scrutiny from defenders.

Once inside a system, however, the spies turned fancy, writing customized software to evade detection by whatever security programs the target has installed, Symantec said.

“Once I’m in, I can do what I need to,” said Robert Shaker, an incident response manager at Symantec. The report drew on data from 57 million sensors in 157 countries and territories.

Another troubling trend Symantec found involves the use of “ransomware,” in which hackers encrypt a computer’s files and promise to release them only if the user pays a ransom. (Some 80 percent of the time, they do not decrypt the files even then.)

The new twist comes from hackers who encrypt files, including those inside critical infrastructure facilities, but do not ask for anything. The mystery is why: Shaker said it is not clear whether the attackers are securing the information for resale to other spies or potential saboteurs, or whether they plan on making their own demands in the future.

RSA CONFERENCE

At next week’s RSA Conference, protecting critical infrastructure systems under increasing attack will be a major theme. Another theme will be the need for more sharing of “intelligence” about emerging threats – between the public and private sectors, within the security industry, and within certain industries.

While many of the biggest breaches of the past two years involved retailers, the healthcare industry has figured heavily in recent months. Former FBI futurist Marc Goodman said that both spies and organized criminals are likely at work, the former seeking leverage to use in recruiting informants and the latter looking to cash in on medical and insurance fraud.

Verizon’s researchers said that to be most effective, information-sharing would have to be essentially in real time, from machine to machine, and cross multiple sectors, a daunting proposition.

Another section of the Verizon report could help security executives make the case for bigger budgets. The researchers produced the first analysis of the actual costs of breaches derived from insurance claims, instead of survey data.

Verizon said the best indicator of the cost of an incident is the number of records compromised, and that the cost rises logarithmically, flattening as the size of the breach rises.

According to the new Verizon model, the loss of 100,000 records should cost roughly $475,000 on average, while 100 million lost records should cost about $8.85 million.

Though the harder data will be welcome to number-crunchers, spending more money cannot guarantee complete protection against attacks.

The RSA Conference floor will feature vendors touting next-generation security products and anomaly-spotting big-data analytics. But few will actually promise that they can stop someone from clicking on a tainted email and letting a hacker in.

Life Videos
MAGIC fashion convention showcases men's clothing trends
The MAGIC fashion convention has come to Las Vegas at the Mandalay Bay Convention Center to showcase some of the hottest clothing trends for men. (Nathan Asselin/Las Vegas Review-Journal)
Former Army medic’s Afghanistan story told in new book
The graphic novel “Machete Squad” is based on journals written by Las Vegan Brent Dulak.
Las Vegas man talks about losing his wife
Dwayne Murray, 37, lost his wife, LaQuinta while she was at Centennial Hills Hospital. A jury awarded him $43 million last week after it said the hospital failed to perform the standard of care in administering a drug for her sickle cell disease.
Barber sets up shop in grandfather’s old shop
Andres Dominguez’s new barber shop is filled with memories of his grandfather, who ran the El Cortez landmark for more than 30 years. (John Przybys/Las Vegas Review-Journal)
Life and times of a 90-year-old horse player
Leo Polito of Las Vegas describes meeting legendary jockey and trainer Johnny Longden on the beach at Del Mar. Mike Brunker/Las Vegas Review-Journal.
Learning the history of singing bowls
Presentation at Summerlin Library teaches residents about the history of singing bowls (Mia Sims/Las Vegas Review-Journal)
Learning live-saving techniques in Stop the Bleed class
Leslie Shaffer, an AMR paramedic, shows how to control bleeding during a Stop the Bleed course at the Summerlin Library. The class is designed to teach anyone how to control and stop life-threatening bleeding. (Mia Sims/Las Vegas Review-Journal)
Vicki Richardson speaks about on the power of art
Artist and arts advocate Vicki Richardson talks about the power of art to inspire and challenge. (John Przybys/Las Vegas Review-Journal)
DressCoders pairs tech with haute couture
DressCoders is a startup focused on haute couture garments. The company uses illuminated thread that is washable and can be sewn right into the fabric. (Mat Luschek/Las Vegas Review-Journal)
CES 2019: Brava infrared oven
In cooking with the Brava infrared oven,there’s no preheating. the bulbs can reach 500 degrees in less than a second. (Heidi Knapp Rinella/Las Vegas Review-Journal)
Sinks Merge Style And Utility
Study could determine cause of Alzheimer’s, Parkinson’s diseases
Dr. Aaron Ritter, director of clinical trials at the Cleveland Clinic Lou Ruvo Center for Brain Health, discusses his research on how inflammation in the brain impacts Alzheimer’s and Parkinson’s diseases. (Jessie Bekker/Las Vegas Review-Journal)
Holocaust survivors talk about tragedy and friendship
Janos Strauss and Alexander Kuechel share their perspectives on life. (John Przybys/Las Vegas Review-Journal)
'Siegel Cares' Santa delivers toys to kids at Siegel Suites in Las Vegas
Siegel Cares, the charitable wing of The Siegel Group, delivered toys to families at their apartment complexes in Las Vegas. (K.M. Cannon/Las Vegas Review-Journal)
Revisiting “Christ the King” sculpture
A longtime admirer of the sculpture at Christ the King Catholic Community in Las Vegas shares her perspective. (Bizuayehu Tesfaye/Las Vegas Review-Journal @bizutesfaye)
TOP NEWS
Home Front Page Footer Listing