These days I have been reading more and more about the sophisticated cyber attacks. There are agencies that report cyber attacks as state of the art – too awesome to detect. But, these news start with a pointer to vectors like “spear phishing” or “social media privacy leak” or plug in “unknown USB”.
Now to me, this is weird because I don’t think any of these vectors point to “sophistication” in my cyber dictionary. Come’on fellas, we all have been there, done that. An article on Wikipedia says -
This (Spear Phishing) technique is, by far, the most successful on the internet today, accounting for 91% of attacks.
When I see the news and blogs documenting a cyber attack, and talk of a malicious email, a USB found somewhere, or a person pwned via his personal account, personal computer – I think we are not learning from mistakes. We have to agree that you were careless when you opened that email, plugged in “some” USB, or visited some lucid website. I mean how many times have we undergone this training in Security Class 101.
If you don’t know it -> don’t trust it -> you must not open it.
Alas, we have to address the fact that human link still holds the weakest link in the cyber defense and needs awareness. We are making machines smarter and smarter, everyday trying to defeat human - turing tests, chess games, rubik’s cube. But, oh human - you are withering away your own intellect. And, it is proved in studies.
So, the attacks like Stuxnet, RSA breach etc. all started with some very naive vectors related to direct human error. Very few like the hospital cyber attack last week, had a catch to it which says the attackers probably used Heartbleed vulnerability to exploit and steal information.
A recent article on information leak related to doomed MH370 states -
“Sophisticated” malware was sent to officials involved in the search disguised as a news story claiming that the plane had been found, The Star reported. Around 30 computers were compromised. [Reference: Telegraph News]
A malware that anti-virus solutions couldn’t detect was sent via email. Users sitting in critical secured zone handling the documents just opened that email and get pwned.
I absolutely would agree the sophistication of the malware, and it definitely would have been a custom code out of someone’s artillery (bypassing AV is well known) but still, why rely and open the email? Moreover, with such confidential data in your premise – Is it not essential to have no internet access on such machines, or even so why open attachments without validating the source of the email. So, either tell me that it was not as documented by media, or else do not call it sophisticated.
In most cases, the sophistication starts with the fact that some human sitting on the terminal messed it up!
It gives leverage to the attackers to go full throttle. We still have miles to go to spread the right awareness, and right means of educating the weakest link. And for the media, any report that has words like – Chinese, APT, cyber attack; falls under sophisticated category. Sometimes I wonder do the attackers actually chuckle when they read the news of their naive attack as termed as sophisticated? I hope not.
Feel free to comment your views.