In this post, I wanted to take a break from telling you what *I* think the things that should keep you awake at night (at least from an information security point of view) are – I wanted to see what other paranoid folks are worrying about when it comes to cybersecurity.
This chart shows what the European Network and Internet Security Agency (ENISA) has highlighted as the top Internet security threats for 2017 and 2018. One of the things I like about the ENISA report is that it draws on their research as well as a whole bunch of other threat reports from varied sources, providing a good summary of the things that should be keeping security professionals awake at night.
Some interesting takeaways from the report…
- Having malware in the top spot in both years is not really a surprise. According to ENISA’s statistics, 92% of malware is delivered to victims by email. For various technical reasons, attackers are tending to increasingly use attached files rather than malware to deliver their payloads. Being careful about what links you click and what files you open is clearly the number one way you can protect yourself from the majority of security threats you are likely to face.
- Phishing attacks are becoming more targeted and customized, which makes it more difficult to identify malicious emails. Attackers are doing their homework, harvesting information from social media profiles, company web sites and other public sources of information to make their messages seem more plausible. Gone are the days of phishing messages in broken English promising riches from Nigerian princes. When looking at an email message, you need to think of its context – were you expecting this message from this person? Does it make sense? Does it sound just too good to be true? Your common sense is your most important security defense.
- Malicious web browser extensions are being used by more and more attackers. While many web browser extensions are very useful, installing a malicious extension gives it access to all of the data that your browser can access, which is to say “a LOT.” Before installing any web browser extensions, take a look at this article, which provides tips on how to recognize and avoid the ones that can cause security breaches.
- You want some good news? According to ENISA, the percentage of email that is spam has dropped dramatically – from 85% of messages in 2008 to 39% of messages in 2017. ENISA also states that ransomware attacks have dropped by 30% over the past year, with attackers turning to “cryptojacking” attacks to generate revenue instead. I’m not so sure about this one – reports of ransomware attacks on businesses and especially governments seem to be on the rise here in the US. It would be nice if this were accurate – while cryptojacking saps computer resources, at least it doesn’t destroy data.
While there have been a number of changes to the order of the threats on the ENISA list, it is interesting to note that cryptojacking is the only new addition for 2018. Attackers are using the same old techniques because they work – organizations are still leaving the same security vulnerabilities ripe for the picking and attackers are combining “tried and true” techniques with an increasing awareness of the role that “hacking the human” can play in keeping these techniques useful.