The recent indictment by special counsel Robert Mueller of 12 Russian military officials for the hacking of Democratic servers and emails in 2016 is a powerful reminder – phishing works.
Regardless of where you stand politically, the concept of a simple phishing scam providing one nation-state access into systems that are involved with deciding the very future of another is downright scary.
We covered the attack in detail recently, but the action that started it all was a simple spearphishing campaign targeting 300 members of the Democratic party. All attackers need today is a targeted audience, great timing, and a believable email – in essence, good context – and email opens and clickthroughs are almost certain.
Phishing is usually the entry point to ransomware (predicted to cost upwards of $11.5B by 2019), cryptojacking, and data breaches (having an average cost of $3.86M in 2018). These losses are bad enough, but the possibility and ease of nation-state cyber-warfare via phishing-based data breach should warrant a response from organizations everywhere.
One can only assume the DCCC had some degree of layered security in place, and yet the phishing attacks against them were still successful. And since we all know phishing attacks can’t work without the user participating in the process, the weakest link here is the user.
The only way to “patch” the user and their lack of defenses is to engage them with new school security awareness training – training married with phishing testing to ensure users aren’t falling for common tactics and are constantly being security-minded as part of doing their job.