Perhaps security controls are stupid and not the victims they fail to protect
I gave my email address to a security company so I could download their security report recently — mostly because a few of their tweets attracted my attention to serious flaws in their thinking — which I believe has a serious ripple effect that results in more security breaches. Today, I received an unsolicited email from them with the subject “Modern email attacks blocked with behavioural AI” and felt I needed to put them straight (I intend to email them a link to this article).
I won’t unbundle their entire email because I don’t have the time to write it, and you don’t have the time to read it. But I take issue with the paragraph below — I see it often from major security vendors — and we wonder why every year since 2016 has been recorded as the worst year on record for phishing — despite the fact that phishing was first discovered inside emails, chatrooms and IM on the AOL network in 1996 — none of this is “modern” — at least not by my standards. This is embarrassing.
Modern email attacks like phishing, ransomware, impersonation, and supply chain compromise are evading current email security infrastructures.
Modern email attacks are evading email security infrastructure because most vendors don’t know what phishing is, let alone know how to stop it — as strange as that might sound, it’s true. This is proven with data — 90% of all cyberattacks involve phishing.
Phishing is the practice of impersonating people and organizations on the Internet. Phishing does not equal to a desired outcome. This means EVERY email (or any form of communication inside any channel, on any device for that matter) that comes from an attacker who’s impersonating another person or entity, is a phishing email — there is no other name for it. Their desired outcome doesn’t change this classification. Or at least, it shouldn’t. Smishing is just phishing by another name. Vishing is phishing by another name. I’m sure someone will coin a phrase for the metaverse — don’t be surprised if a new solution comes out for “mishing”.
You can’t divide phishing emails into Phishing, Ransomware, and Impersonation categories — because that means we’re saying emails that are used to spread ransomware, are not phishing emails. And how can we have non-phishing emails that are used for “impersonation” — when phishing IS the act of impersonation?!
Why is this important?
When speaking to people who don’t know better (including security professionals who don’t specialize in anti-social engineering as I do, they assume they need an anti-ransomware solution for emails that are used to spread ransomware — it doesn’t cross their minds that they need an anti-phishing solution to block phishing emails before harm can be done. If criminals were constantly walking through the front door of big homes and businesses, we’d probably focus most of our attention on stopping them at the door. But in the context of cybersecurity, we’re blaming every person who allows impersonators through the front door, without asking how we can make it easier for them to spot an impersonator. And despite the fact that some of the world’s smartest people are allowing them in, we’re still calling them “stupid”. Perhaps security controls are stupid for failing to do what they were designed to do.
Would you buy motion sensors, a safe, indoor cameras, guard dogs, and [insider other security products here] if you could stop impersonators from walking through the front entrance? The front entrance is a chokepoint in the same way that a message is the front entrance in phishing.
All that being said, a layered approach is advised. Everyone’s exposure to risk is different, and everyone’s threat vector or areas of weakness is different. It’s wise to make provisions should anti-phishing security fail and it’s wise to implement different kinds of security — not just anti-phishing — Why phishing is not sophisticated and certainly not new