Weak identity and authentication systems, vulnerable websites, and DDoS attacks are the other top cyber threats

Apr 21, 2016 15:30 GMT  ·  By

In a meeting held in New York, representatives of law enforcement and governments from the US and the UK met to agree on a joint plan to tackle cyber threats, and their top priority for the foreseeable future will be phishing attacks.

The Global Cyber Alliance (GCA) was founded at the start of January this year, and on March 19 held its first Strategic Advisory Committee (SAC) meeting.

Here, founding members that included representatives from the City of London Police, The New York County District Attorney's Office and the Center for Internet Security agreed on a list of today's top cyber risks, in order to develop joint strategies to counter their effects.

Phishing ranked top cyber threat, DDoS attacks ranked fourth

Based on their expertise, these three organizations ranked phishing attacks as today's greatest cyber threat, followed in order by risks arising from weak identity and authentication mechanisms, risks arising from vulnerable and compromised websites, and Distributed Denial of Service (DDoS) attacks.

Personally, we see vulnerable and compromised websites as a more dangerous threat, but we must also agree to disagree.

Just recently we've seen many compromised websites (frontends, backends, exposed network equipment) allowing attackers to gain a foothold on infected systems, from where attacks can then escalate. Phineas Fisher, the famous hacker that breached Hacking Team's servers last year didn't use phishing for his attacks.

Nevertheless, our view on this topic may be skewed by our technical prowess in terms of cyber-security practices. Phishing, you see, while ineffective against a security expert, is quite effective against most regular people.

While companies may benefit from a security team to address their website security, you at home may not benefit from anti-phishing training, and here is where authorities need to stand in and help.

GCA: DMARC usage needs to increase

In order to stop, or at least cut down the number of phishing attacks, the GCA plans to promote the usage of the DMARC protocol that makes it harder to spoof original domains. Further plans include the GCA promoting the usage of secure DNS practices, which will also impede basic spear-phishing attacks.

Law enforcement and government agencies are right to be worried about spear-phishing, as Rohyt Belani, co-founder, and CEO of PhishMe told Softpedia.

"Recent research shows that employee-targeted spear-phishing campaigns spiked a staggering 55 percent just last year in addition to the FBI’s recent warnings that phishing-related wire fraud scams have cheated businesses out of $2.3 billion since 2013.

"Those of us in the security industry realize these upward trends signify that attackers will continue targeting employees as a primary exploitation point as long as they’re experiencing continued success.

"Seeing law enforcement agencies and municipal governments working closely together to address and combat serious threats is encouraging. The recent announcement from the Alliance brings additional visibility to the dangers of phishing and reinforces that this attack vector is a top cybercrime concern.

Outside technical measures, employees need better anti-phishing training as well

Mr. Belani also warns companies not to rely solely on the technical side and spend time training their employees against common phishing practices.

"Although various technology layers are essential for a strong defense-in-depth strategy, security professionals must remember that empowering employees as a last line of defense is key in defeating spear-phishing threats," Mr. Belani also told Softpedia.

"As research proves, employees remain a primary target for infiltrating organizations since malicious emails are consistently passing through weak perimeter defenses and landing in staff inboxes. By effectively conditioning behavior and operationalizing human intelligence, organizations will be better equipped to identify, prioritize and respond to phishing and other key threats before attack payloads are delivered.

"Failure to embrace employees and human-generated intelligence as viable defensive layers in an organization’s security posture is akin to not having a line of defenders standing between the soccer goal and the opposition when the latter is taking a free kick."