James McDowell and Camble Murray gave an interesting talk, at the Blackberry Security Conference, on recent trends in cyber security and what we can learn from the last 12 months.
Probably the most quotable aspect was how easy it is to social engineer an attack if the attacker targets people in Sales roles. Apparently, sales people are so eager to make a sale that "they will open anything" on an email attachment. They also claimed, that if the attacker uses "appropriate HR language", then it is quite easy to persuade an HR user to do so too. So there are some communities to focus on with communications and cyber awareness training. It also appears that some security professionals are starting to adopt psychological techniques such as NLP to re-inforce their approaches to building security cultures.
It seems that Ransom Ware and Email targeting for spear fish attacks remain the 2 most prevalent threats, mainly because of the economics of cost and return from such types of attack; generally perpetrators reckon to pick up quite significant returns for relatively modest outlays, given the general availability of many cheap attack kits and the ability to sustain high volumes of attacks, almost guaranteeing that some will succeed.
It also appears that attackers are increasingly using Facebook and other social media platforms to identify individuals who are susceptible to "clicking on things" and profile them for future attacks. So perhaps this is the time to educate people about separating their social media personnae from their work ones, making it much less easy to cross link them.
Th other notable point was the significant number of crypto currency exchanges and wallets which had been targeted for attack. There is something about saying that something is secure that invites the wrong type of attention.
The other big trend is the emergence of the term Cyber Resilience, which is really about how capable a business is in dealing with major security incidents and continuing to operate when under cyber attack. So whilst there is a strong need to deal with security basics systematically, there is also the need to design in security at both an environmental and a project level, when implementing new stuff, there is also the need to have a well oiled and rehearsed approach to managing the response to an attack.
No comments:
Post a Comment