The failure that opened the door for hackers to break into Target’s point-of-sale systems in 2013—resulting in the largest retail breach in U.S. history—wasn’t caused by weak firewalls or flawed security software, but by the gullibility of people. The attack began when malware worked its way into the network of a heating and air conditioning company that services the retail giant, siphoning login credentials to gain remote access to Target’s servers. And it’s likely that all it took for the malicious software to get in and start looting passwords from the unwitting vendor was someone’s decision to open an innocent-looking e-mail with malware hidden inside.
Phishing may be the oldest trick in the hacker’s book, but it’s still the method behind many of the breaches we’ve seen in recent months, according to a security report released by Verizon on April 14. The annual report, widely considered a benchmark in the security industry, this year was based on the details of 79,790 “security incidents” given to Verizon’s researchers by 70 organizations.
Nearly a quarter of people who receive phishing e-mails open them, according to the report, and 11 percent proceed to download file attachments. This is true even for such obvious ploys as a fake e-mail from a bank asking for a password. The report suggests that to curb the human risk, companies should do a better job of filtering messages and “developing and executing an engaging and thorough security awareness program.” But teaching people not to click on scam e-mails turns out to be remarkably difficult.
In 2012, researchers at Columbia University sent 2,000 phishing e-mails of various kinds to students, faculty, and staff at the school. The e-mail that lured the most recipients was a bogus promotion for an Apple iPad. In the first round, 176 users not only opened the iPad e-mails, but also clicked the links within them. According to the study, each of those Ivy Leaguers was then warned “that their behavior made them particularly vulnerable to phishing attacks.”
Several weeks later, the researchers sent another batch of phishing e-mails to those who had been duped. Despite having been warned, 10 of them opened the second e-mails and clicked the links again. Those 10 were then sent another warning and, after another few weeks, another phishing e-mail. Incredibly, three of them opened the third fake e-mail, and got another warning. By the fourth round, no one opened the e-mails.
The Verizon report also suggests that companies adopt “improved detection and response capabilities.” Put simply, companies rarely figure out on their own that they’ve been breached. Increasingly, they don’t know they’re losing data until they’ve been alerted by law enforcement.
Marcus Ranum, a computer security researcher and consultant known for his work in building firewalls, says part of the problem is that it’s common for security systems to overload the people monitoring them with automated alerts, making it difficult to separate urgent threats from more routine warnings.
Worse, security professionals often fail to update their systems with patches for known vulnerabilities, and hackers take full advantage of those weaknesses. According to the report, “71 percent of vulnerabilities had a patch available for more than a year prior to the breach.” In other words, many paths hackers took to break into networks last year could have been rendered dead-ends if someone had installed these updates.
Ranum says it costs companies more in the long run to have to continually react to intrusions than it would be to steer clear of threats altogether by putting more resources into better detection. “Your seatbelt and airbags are great and you’re stupid if you don’t use them,” he says. “But it’s smarter to avoid the semitrailer in the first place.”