Phishing catches victims ‘in minutes’
From the post:
It takes 82 seconds for cyber-thieves to ensnare the first victim of a phishing campaign, a report suggests.
Compiled by Verizon, the report looks at analyses of almost 80,000 security incidents that hit thousands of companies in 2014.
It found that, in many companies, about 25% of those who received a phishing email were likely to open it.
“Training your employees is a critical element of combating this threat,” said Bob Rudis, lead author on the report.
Threat spotting
Tricking people into opening a booby-trapped message let attackers grab login credentials that could be used to trespass on a network and steal data, the report said.
“They do not have to use complex software exploits, because often they can get hold of legitimate credentials,” Mr Rudis said.
…(emphasis in original)
You might be tempted to quote this story on phishing but I wouldn’t. Not without looking further.
When I read “…a report suggests…,” without a link to the report, all sorts of alarms start ringing. If there is such a report, why no link? Is the author fearful the report isn’t as lurid as their retelling? Or fearful that readers might reach their own conclusions? And for that matter, despite being “lead author” of this alleged report, who the hell is Bob Rudis? Not quite in the same class as Prince or the Queen of England.
None of which is hard to fix:
Verizon 2015 PCI Compliance Report
Bob Rudis took a little more effort but not much: Bob Rudis (Twitter), not to mention being the co-author of: Data-Driven Security: Analysis, Visualization and Dashboards (review). Which is repaid by finding a R blogger and author of a recent security analysis text.
When you read the report, to which the BBC provides no link, you discover things like:
Incentives (none) to prevent payment fraud:
Page 4: The annual cost of payment fraud in 2014 was $14 Billion.
Then Page 5 gives the lack of incentive to combat the $14 Billion in fraud, total card payments are expected to reach $20 Trillion.
In other words:
20,000,000,000,000 – 14,000,000,000 = 19,986,000,000,000
Hardly even a rounding error.
BTW, the quote that caught my eye:
More than 99% of the vulnerabilities exploited in data breaches had been known about for more than a year, Mr Rudis said. And some had been around for a decade.
Doesn’t occur in the Verizon report, so one assumes an interview with Mr. Rudis.
Moreover, it is a good illustration for why a history of exploits may be as valuable if not more so than the latest exploit.
None of that was particularly difficult but it enriches the original content with links that may be useful to readers. What’s the point of hypertext without hyperlinks?