As we head toward 2020 we can expect to see a variety of situations-based phishing attacks. While there will always be attacks based on major events, such as the Super Bowl, Academy Awards, births and deaths relating to celebrities, and the like, there are other big milestones coming up. Here are but a few:
- China’s third space station is expected to launch
- US presidential elections
- Summer Olympics in Tokyo
- The Jeddah Tower, the new World’s Tallest Building, is expected to be completed in Saudi Arabia
When you take into consideration the number of major and minor events slated throughout the year, the opportunities for spear phishing and drive-by phishing attacks is enormous. And with each passing year, the attackers are getting more sophisticated and effective.
Sure, defenders have more advanced products at their disposal, many of which contain the latest flashy defensive technologies, such as artificial intelligence and machine learning. However, the bad actors also have these same tools at their disposal and are adept at making their attacks harder to identify.
While many of the popular defensive techniques still have value — employee training, applications that scan incoming emails to determine if they might be phishing attempts or have an offensive payload, or defensive techniques that simply assume everybody is a potential attacker so no one gets access until they and their devices are authenticated — the bad actors will continue to attack and succeed in greater numbers.
Why? The answer is frighteningly simple. Attackers succeed because users continue to open up infected emails, they still click on bad links, and they still fall prey to business email compromises, promises of deals that are too good to be true, photos of celebrities, and requests, sometimes demands, for employees to take actions that will put their employers’ systems under attack. Sometimes users are tricked, but often they might know or suspect that an attack could occur but they click anyway.
There is no magic bullet, no panacea that will make all attacks fail and protect every company forever. The best you can hope for is to reduce your attack profile as much as possible, employ the best hardware and software you can to eliminate vulnerabilities as much as possible, and to train your staff to make security second nature. Companies also need to share intelligence they gain about attacks to help others defend against attackers they might never have seen before.
It is not a weakness to accept that bad things happen to good companies; it is an acknowledgement that even the best defenses sometimes are insufficient. To that end, companies need to employ a strategy of doing all they can to protect data at rest, in transit, and in memory, along with ensuring that user and automated system requests for access to resources are verified.
When it comes to network security, the assumption should always be that every request for access could be from an attacker, so you need to verify the identity and credentials of incoming requests. But you also need to assume the bad guys are already in the network, so data should be protected before it leaves the network too.
There is a fine line that CISOs need to walk between building secure networks and limiting productivity and operations. Corporate executives will make that risk analysis to determine how far open the proverbial door is kept, but for the CISO, one pop culture phrase should always be top of mind. Kudos go out to JK Rowling, author of the Harry Potter universe, whose character Mad-Eye Moody sets the tone for cybersecurity professionals: Constant vigilance. Without it, bad things happen. With it, fewer bad things happen. That’s just the way it is.