Check out this screenshot. Even though this e-mail is recent, I've been getting this same style of e-mail for the last 20 years. The anatomy is the same: a recognizable logo, some sort of request telling me that I need to fill out some form, or pay the "site" a visit to update information, and of course, a convenient link for me to click. By now you should've recognized this screenshot as a classic phishing attempt.
A simple set of questions sprung in my head when I received this e-mail:
- In the last 20 years, hasn't the cybersecurity industry caught up to these phishing attacks?
- Aren't inboxes cluttered with emails from technology companies that claim they can help secure organizations against the latest advanced threats?
- Haven't organizations run thousands of education campaigns to make their employees more vigilant; to ensure their employees are adhering to good security practices?
If all this has been happening over the past 20 years, why does a simple phishing attack still exist?
The answer? The human is still the most fallible element in the security chain. It's relatively easy for a hacker to steal your credentials. It is an immutable fact: usernames and passwords in the hands of humans means that credentials, at some point, will be stolen.
To date, cybersecurity solution providers have focused on things like anti-virus, network, perimeter and application security. The last 20 years have brought incredible advancements in these technologies. Security is strong -- and getting better. But despite great advancements in cybersecurity, phishing for credentials still remains. It's like the common cold: simple, short, and debilitating to a human. And like the common cold, stolen credentials are inevitable. Once they are stolen, the security advancements of the last 20 years can be circumvented by simply misusing those stolen creds.
The industry tried to solve the problem of stolen credentials in the past, but kept running into the same wall - the user. As a result, we shifted priorities and secured other areas, always knowing that the keys to our secured fortresses were still in the hands of the average Joe.
It's time we return to solving that stubborn little problem called phishing by understanding how to take away its benefit from the attacker.
The great thing is, we don't have to invent something from scratch. The ingredients for the antidote have always existed. Every person has behavior, devices, biology, policies, process, context that we can use to identify them. What we need is reliable technology that helps us aggregate that information to not only confirm that the user typing the credentials is the user that's supposed to access, but does so in a way that it doesn't impose any change in the way the user interacts with his or her apps.
The way to truly stop the misuse of stolen credentials is to use adaptive access control with a foundation in security, so that when credentials are stolen, they will be rendered useless to the attacker.
To learn more how SecureAuth's adaptive authentication can eliminate identity-based threats, start at https://www.secureauth.com/adaptive.