It’s hard to take in any media today without hearing about the seriousness of intra-state hacking today here in the US. Recent events have sprung several important security topics into mainstream discussion. Of the more serious accusations, Russia “interfering” in US elections, a claim that the Russian government was actively involved in “hacking” John Podesta’s email account is cited daily. While I can’t comment on the accuracy of this specific report in general as I don’t have access to that kind of intel, the method of this “hack” is of great interest to me at ChurchDNS.
For me and nearly anyone in the security industry, calling phishing a method of “hacking” is grey at best. Hacking in general involves using exploits to break into systems in order to steal information or do damage. The threat of hacking can be greatly reduced, though never eliminated, with improved IT security practices. On the other hand, phishing involves masquerading as a trustworthy source in order to trick your target into giving up information. In reality, phishing is more of a scam than it is a hack. An organization can have the latest in firewalls, client side virus/malware protection, end-to-end network encryption, and place all system resources into need-to-use only segments. They can spend huge sums of money on these systems and hire top systems security experts to place on staff. Despite all of this, if I can trick someone with access (known as Spear Phishing) into giving me their credentials, I can take information without breaking a sweat, and often without raising an alarm until the damage is done.
What is important to note is that today nearly anyone can run an effective phishing scam. There is no need to write your own code, set up domains and develop trick sites. There are multiple Phishing as a Service tools anyone can use/rent to launch these scams and collect information. These tools also allow scammers to proxy their efforts in order to appear as though they come from any country on earth. Once a scam gets a hit, the information can be used or sold off to the highest bidder. Combine these easy to use applications with the fact that phishing scams target the most vulnerable asset of any company, that is people, and you get why over 90% of internet attacks and malware/ransomware delivery take place over phishing scams today.
Yes, phishing scams are effective and easy methods to steal information from organizations, but the good news is that they are also the simplest and most cost effective to defend against. It’s true that good endpoint security such as DNS filtering can track and block known Phishing URLs, training along with testing via simulation, is the best way to raise awareness of staff and employees. This together with even the most basic of IT security practices greatly reduces the likelihood that your organization’s information can be compromised or held ransom.
Of course, if John Podesta’s email system was comprised due to some other reason say because his password was “password”… I have nothing really to add to that.
