The results are in! According to the 156 participants --our “selection committee” --in Core Security’s March Madness-inspired Attack Intelligence bracket, phishing is the most dangerous security threat. AWESOME BABY! (Channeling our best Dick Vitale) To be honest, I was a bit surprised at the results. Not Mercer-upsetting-Duke surprised, but more like Harvard-beating-Cincinnati surprised.
Some color commentary on the results:
I’m impressed with the participants. The Final Four security threats covered a wide-range of attacks and concerns:
- Zero days – highly technical, “keep you up at night” attacks
- Web attacks – bypass network defenses and get to the data...and also “keep you up at night” attacks
- Malware/unpatched systems – too many systems, too many vulnerabilities, too little time
- Phishing – the winner and deemed the most dangerous threat
Phishing, or any attack against the user and identity, is scary because if an attack is successful and compromises an identity, it isn’t just a matter of hacking any more – it’s basically logging in. Or think of it this way: How are your outsourced or cloud or internet-facing services looking if bad guys have a good guy’s identity?
End-user security awareness lost in the first round. I’m shocked! This is especially surprising because phishing, another attack on the user, won the whole thing. Does this imply that the participants believe phishing can be best addressed with technical solutions? I thought end-user security awareness would be a bit higher because educated users can help reduce the downstream risk of a few areas: BYOD and password practices, as well as phishing.
Also, inadequate security budget lost in the first round to insider threats. I didn’t see this coming, as I would have assumed this would be a long-shot favorite.
How’s your bracket?
Core Security’s own seeding of the threats is below. We had three of the Final Four correct, but had security misconfiguration beating malware/unpatched systems to take it all.
- Security Misconfiguration (defaults, gaps)
- Web attacks (CSRF, XSS, injection)
- Zero day attacks
- Malware / unpatched-systems
- Skilled IT Cybersecurity shortage (lack of trained professionals to fill cybersecurity positions)
- End-User security awareness
- Weak password practices
- Easy egress (USB, file transfer apps)
- Insider threat
- Advanced persistent threats
- Inadequate security budgets
- Man-in-the-middle attacks
- Nation State actors
- Weak encryption algorithms
So what do you think? Did the community get it right?