The internet is a dangerous place, right? Not only is the internet full of hackers trying to steal your corporate information, but they’re also targeting your website and company database to steal credit cards, private health information and other sensitive data to resell on the Dark Web.
This is partially true. But do people really appreciate what the attack surface looks like right now? Internet threats are not just SQL injection attacks or attackers targeting Joomla or WordPress. We tend to hear things about phishing and social engineering, but do people really appreciate the impact these things have on their world?
Would it surprise you to hear that almost 30 percent of the events NTT Security detected in 2016 were related to attacks against end-user technology? That includes things like Internet Explorer and Adobe products – plugins, tools and applications which run on an end-user’s workstation – on your workstation – your laptop which you use every day.
Take a quick glance at cvedetails.com, and you can see that depending on exactly how you count them, easily 16 or 17 of the top 25 most vulnerable products are related to end-user technology – something that runs on your workstation. Sort the list of available vulnerabilities by their score in the common vulnerability scoring system (CVSS), and the numbers are even more interesting – the only products to show an average CVSS of 9.0 or higher (the most critical) are Microsoft Office, Internet Explorer and a variety of Adobe products – all of which run where? On your workstation.
Adobe products are great examples of this problem. Adobe recorded 545 new vulnerabilities in 2016. That’s about 1.5 new vulnerabilities per day. And many of the Adobe vulnerabilities take advantage of memory errors. So, exploits which take advantage of new vulnerabilities can often be created quickly by updating an old exploit – significant vulnerabilities, easy to exploit – what’s not to like?
This has created a situation where, for shorter durations of a few weeks or less, NTT Security shows as much as 60 percent of detections from attacks against end-user technology. And these technologies are the ones being attacked in exploit kits. That means significant numbers of automated attacks are being conducted by all levels of attackers – from rookies to advanced attackers.
And the problem is really not even that gentle. On top of technical problems, add social engineering and phishing attacks. The best industry estimates suggest as many as 60 percent of targeted attacks include some component of social engineering or phishing. If you consider that analysis shows an average of about 30 percent of users click through links in phishing emails, the potential exposure only gets larger. That means if an attacker delivers a phishing email to every employee in an organization with 10,000 employees, it is likely that well over 3,000 employees are going to click through links in that hostile phishing email. That is 3,000 times user workstations are going out and contacting the attacker’s hostile website and connecting to attackers’ exploit kits or downloading malware-laden attachments.
Those attachments include malware which runs on the user workstation. They also include ransomware which runs – you guessed it – on the user workstation.
This all adds the risk to the user, to their computer, to their data, and consequently, to the entire organization as attackers spread compromise from the user workstation to other systems within the organization. And this threat is not shrinking.
Unfortunately, there is no silver bullet. There are, however, things an organization can do to help manage this risk. While it is a dramatic simplification of these threats, the most important basics when dealing with user security are:
- Build and maintain an active patch/upgrade process. Every vulnerability you can remove from workstations reduces the potential attacks which will work against you.
- Actively manage end-user security. This should include anti-malware and ad-blocker solutions, as well as timely backups which are stored securely.
- Teach users the way security works at your organization. Train them on behavior which can help manage threats, including how to recognize phishing and social engineering attacks, as well as how to report suspected or known attacks.
Ultimately, there is no substitute for a multi-layered security program which is architected to truly manage threats across your entire environment. That should include management of user risk as a single, vital component. Unfortunately, it is a component which many organizations are not emphasizing.