WannaCry ransomware has attacked companies in more than 100 countries, shutting computer systems down until a ransom is paid in Bitcoin. It’s the largest cyber attack recorded to date.
The cause of this weekend’s cyber attack is still under investigation, but researchers have already begun to examine email as a possible culprit. Email-based phishing attacks have become a
favorite of cybercriminals, and phishing is now the primary entry method for hackers accessing organizations, according to a recent Symantec security report.
“Ninety-five percent of the events over the past year, from Sony
to the U.S. and French national elections, have all started with phishing,” says Oren Falkowitz, co-founder and CEO of Area 1 Security.
Falkowitz, who previously worked as an
analyst for the National Security Agency (NSA), discussed the state of email security in a conversation with Email Marketing Daily.
Falkowitz argues that current security solutions are
largely not addressing the core of the phishing problem because they are reactive in nature. They focus on the later stages that come after phishing, addressing such issues as malware and
ransomware.
Legacy security solutions, like firewalls or spam engines, also do not specifically focus on phishing.
“Phishing and spam are very different types of
problems,” says Falkowitz. “Phishing doesn’t just exist on email, but spam does. Spam is also about bulk email -- it’s about un-wantedness as opposed to
maliciousness.”
The 2-3% of messages that still land in the inbox cause 100% of the damage, he says.
Email authenticity protocols, like DMARC, DKIM and SPF, are also
insufficient checks to stop phishing.
“The problem is that senders of phishing emails can easily get their messages properly verified,” says Falkowitz. “ Anyone can set up
their own Google domain and authenticate it themselves.”
Consumer education has also failed to address the issue.
“It just doesn’t make any sense to blame the
user,” says Falkowitz. “It’s like rather than just taking the flu vaccine, you just try to dodge people sneezing. Anyone is likely to click on something. You can’t expect
humans to be 100% perfect all the time.”
Successful social engineering scams are thoughtfully researched and designed, not just in an email’s content, but also on the Web page that
the email directs to. Emails can be sent in milliseconds, but building a Web site is a much longer process. It is not something that can be done in minutes, and that time can be used as a
defensive opportunity to protect users.
“We recognize phishing is not just an email problem,” asserts Falkowitz. “It’s an email, Web and network problem”
Area 1 Security is a cloud-based software-as-a-service security solution that uses a variety of techniques, including an active sensor network, visual analytics and machine-learning, to eliminate
phishing threats before they land in the inbox.
The company can recognize when images such as a brand logo are spoofed and used out of place on the Internet. For example, if an attacker
wants to phish financial username and password information, they will first need to build a Web site designed to look like a private bank. Area 1 Security can identify the Web site as potentially
malicious in its infancy, inoculating its customers from that threat.
Falkowitz recommends that organizations of all sizes should imagine that they will one day become a victim of a cyber
attack.
“Attackers don’t need to hack Visa or American Express to retrieve critical financial information,” says Falkowitz. “They can go after fast-food
restaurants or retail chains because they have the same information. Hackers are great at finding the weakest link in a chain to achieve the same desire goal.”