Reply to post:

VCs find exciting new way to blow $1m: Wire it directly to hackers after getting spoofed

Pier Reviewer

“ yet again proving that the real hackers go after people - Social Engineering 101”

Rarely a truer word said. 99% of external infrastructure engagements we do result in breach (ie access to the internal network). The other 1% refuse to include O365, S4B, Outlook Web Access, VPN endpoints etc in the scope :)

Its not about 0-days. It’s a numbers game. Someone in your organisation has a $#!% password. Just a matter of finding who. A bit of OSINT, a bit of time (usually a few hours, occasionally a day or two) and you’ve got shell. Bit slower if you care about not being detected.

Plenty of talk of encryption etc to fix this problem, when mandating MFA and a half decent password policy + training will make the attacker’s job hundreds of times more difficult.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2021