back to article Hackers so far ahead of defenders it's not even a game

Cybercriminals are way ahead of the game against defenders without having to try anything new, according to the latest edition of Verizon's benchmark survey of security breaches. The study shows that miscreants have no need to switch up, because the same old tactics are still working fine. Security defenders are still …

  1. Anonymous Coward
    Anonymous Coward

    ηβπ?

    3,141 confirmed data breaches last year

    Really? Are they sure it wasn't 3,1415926?

    P.S. I want my HTML in the title!

    1. Brewster's Angle Grinder Silver badge

      ηβπ

      (See title.)

  2. Ole Juul

    Hackers vs Boneheads

    Companies are unable to change anything to do with computing. Having the latest shiny and concern with how things appear to each other is more important to them than how it looks to a hacker.

  3. MachDiamond Silver badge

    Bad Grammar

    One of the dead give aways of a phishing email is often very bad grammar and spelling. Maybe more people are getting lured into opening phishing links is due to the declining competence in language skills.

    And, of course passwords are weak! We're being told to change them 3x/day and I, for one, am not all that creative first thing in the morning.

    1. Anonymous Coward
      Anonymous Coward

      Re: Bad Grammar

      > often very bad grammar and spelling

      That was then. Nowadays you have very good grammer, excellent spelling, use of first names and use of company logo in the footer.

    2. Ole Juul

      Re: Bad Grammar

      Bad grammar, intentional or not, provides an excellent filter for the perps. People who see that as a sure sign of phishing get eliminated right away and the remaining people are more likely suckers.

    3. Vic

      Re: Bad Grammar

      One of the dead give aways of a phishing email is often very bad grammar and spelling

      But not always.

      I've had a bunch of phish emails lately which look *very* much like genuine LinkedIn invitations. And if they'd sent the emails to an address I'd ever given to LinkedIn, I might[1] have been taken in...

      Vic.

      [1] I wouldn't - but that's because I'm paranoid. If ever I get an email that wants such data from me, I always check the headers first. Most people don't, of course...

      1. Adrian 4

        Re: Bad Grammar

        I chuck the linked-in invitations out even faster than the phishing emails.

        1. allthecoolshortnamesweretaken

          Re: Bad Grammar

          "I chuck the linked-in invitations out even faster than the phishing emails."

          But how can you tell them apart?

          Oh, right... never mind!

    4. Michael Wojcik Silver badge

      Re: Bad Grammar

      Maybe more people are getting lured into opening phishing links is due to the declining competence in language skills.

      And counting upvoters that's five people who can't be bothered to look at the research. Well, that's hardly surprising.

      For random phishing, implausible stories and non-standard language use improve the attackers' ROI, as Herley demonstrated years ago. What's more, many (possibly most) of the victims of random-phishing attacks are well-educated middle-class users who are perfectly capable of recognizing non-standard language when they encounter it. They're not deterred because they fall prey to greed and various cognitive fallacies - again, as various researchers have shown.

      In any case, random phishing is a bottom-feeder attack, and not what we're primarily talking about here.

      Spear phishing is usually what's used to gain access to internal networks, and those messages tend to be well-crafted, both in general usage and editing, and in referring to organizational specifics like employee names. And spear phishing has about a 90% success rate against a targeted organization with at least ten message recipients, according to some studies.

      But, yes, blame the user. That'll fix the problem.

  4. Anonymous Coward
    Anonymous Coward

    Don't remind me!

    "Many victims have single-factor access into parts of their network even if they think otherwise"

    I don't even think otherwise.

    You know this will be so forever when you are in a C-level meeting about "IT problems and strategy" and the first that happens is that the CFO complains that his Windows is getting slower and no-one is upgrading his laptop.

    1. Doctor Syntax Silver badge

      Re: Don't remind me!

      "the CFO complains that his Windows is getting slower and no-one is upgrading his laptop."

      Probably the best option would be to collect his laptop first thing every the morning for its daily update. The daily update would be so exhaustive that it would only be ready to return to him last thing at night.

  5. jake Silver badge

    "Cybercriminals are way ahead of the game against defenders"

    Part of the problem is manglement thinking "cyber" means "something terrifying".

    "without having to try anything new"

    Part of the problem is manglement refusing to pay for anything newer than 1980.

    "according to the latest edition of Verizon's benchmark survey of security breaches."

    Ah, yes. Verizon. That benchmark of secure providers.

    1. Michael Wojcik Silver badge

      Part of the problem is manglement thinking "cyber" means "something terrifying".

      Hell, part of the problem is using the prefix "cyber" for anything other than "cybernetics". Or for "cybernetics", for that matter, when it's not used in a technically accurate sense.

  6. Anonymous Coward
    Anonymous Coward

    I will openly admit

    to be one of those people that opens attachtments (after taking some precautions) because i like to respond to the phising attempt with "real" details.

    So if i get a "your Paypal account is locked" email, i will happily fill it in with real but false data.

    Credit card number to pass the LUHN test are readily available from dark coding, a bank sort code is easily invented, as is an account number. A plausable name and address doesnt take much imagination to conjour up.

    They must spend hours typing in the details just hoping that they made a small error inputting the data.

    If all of us with the know-how did this, phishing attacks would not be worth the effort as they would drown under the deluge of seemingly real data.

    1. Brewster's Angle Grinder Silver badge

      Re: I will openly admit

      You could write a bot and single handedly bury them.

      1. Anonymous Coward
        Anonymous Coward

        Re: I will openly admit

        Sadly, my programming skills start and end at:

        10 Print "cornz was here";

        20 cls

        30 goto 10

  7. Cuddles

    PEBCAK

    Unsurprisingly, the conclusion from all this is that worrying about technology, arms races, and so on is completely pointless because by far the biggest problem remains the fact that people are stupid. It's all very well saying that hackers are ahead of defenders, but as long as people are desperate to throw all their credentials and personal information at anyone and everyone who asks for them, there's not really a lot said defenders can do.

    1. Michael Wojcik Silver badge

      Re: PEBCAK

      People have always been stupid, and presumably always will be, so no one should ever try to address any problem, ever.

  8. amanfromMars 1 Silver badge

    Poisoned Chalices on the Righty Rocky Road to Nowhere Worthwhile

    Security defenders are still performing poorly in their attempts to defend against hacking or malware-based attacks. This isn't for a lack of trying or skills on their part, but almost completely down to the fact that the game is rigged against them.

    Defending the indefensible and inequitable is always a rigged game which defenders are never ever going to win and the harder they attack the easier and the quicker they are securely defeated and disgraced. It is thus wise to try and understand what you are being contracted to defend, for the truth in right dodgy cases is never presented and always hidden from scrutinuous and inscrutable view.

    1. Anonymous Coward
      Anonymous Coward

      Re: Poisoned Chalices on the Righty Rocky Road to Nowhere Worthwhile

      > securely defeated and disgraced

      Lovely.

  9. Jimbo 6
    Happy

    Defender

    Now, THAT was a proper game... peow ! peow ! peow ! (sigh...)

    Sorry, what was everyone else talking about ?...

  10. Crisp

    Will management start to invest in security?

    No. We really really need this feature right now and everyone needs to be able to use it. Can't you just stick a simple plaintext password on it for now and we'll come back to it later when we've got more time...

  11. FinancialAnalytics

    In DREAMS!! ALL the hacks IS YANKS!!

    Read 'em and weep, but ALL the hacks of ANY hackyness ARE THE YANKS!! Chinese denial hacks don't even touch them!! That's how it is and THAT'S why we're ALL the better off for it!!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like