September 29, 2017 |

Technology giving companies a false sense of security, says F-Secure Red Team

Overconfidence in technology is leaving companies exposed to phishing and other attacks that prey on humans, as evidenced by red team tests where 52% of employees clicked on a link in a fake email. Buckinghamshire, UK – 22nd March 2017: Attackers consistently prey on companies that have what cyber security experts call a “false sense […]

Overconfidence in technology is leaving companies exposed to phishing and other attacks that prey on humans, as evidenced by red team tests where 52% of employees clicked on a link in a fake email.

Buckinghamshire, UK – 22nd March 2017: Attackers consistently prey on companies that have what cyber security experts call a “false sense of security” when it comes to relying too much on technology to defend their networks. The warning comes from a spokesperson for F-Secure’s red team – a group of cyber security experts specialising in ethically attacking organisations to highlight strengths and weaknesses in their security.

 

“Using technology to solve human problems just doesn’t work, and anyone telling you different is selling magic beans,” said Tom Van de Wiele, principle security consultant at F-Secure. “Real-life attackers, especially criminals, live off perfecting subtle social engineering tricks that trick human beings into letting their guard down. And letting employees believe that cutting edge security technologies will handle everything gives a false sense of security, which is something today’s attackers are counting on.”

 

Gone phishing

 

Phishing exemplifies what Van de Wiele says are failings related to overconfidence in technology. According to PwC’s Global State of Information Security Survey 2017*, phishing was the #1 vector for cyber attacks targeting financial institutions in 2016. And based on the spread of managed phishing-as-a-service bundles on the dark net**, these attacks are likely to become more prevalent going forward.

 

“You’d be amazed by what people click on while they’re working. They’re not stupid, just caught off-guard, not necessarily expecting to be duped,” said Van de Wiele. And indeed, simulated phishing attacks have high success rates in F-Secure’s Red Teaming Tests.

 

For example, in a recent job, F-Secure red team experts sent out a fake LinkedIn email to see how many of the client organisation’s employees would click on a link in an unsolicited email. 52 per cent of employees clicked. In another test, F-Secure’s red team created an email leading to a fake portal where employees would need to log in using their domain credentials. 26 per cent of recipients followed the email link to the portal, and 13 per cent actually entered their login credentials.

 

Nothing is off limits       

 

The Red Teaming Tests Van de Wiele and his colleagues conduct involve a comprehensive series of tests designed to highlight what companies are doing right and wrong when it comes to security. The tests challenge companies to successfully detect, contain and respond to simulated cyber attacks intended to steal financial data and intellectual property, or control key parts of a company’s IT infrastructure.

 

According to Van de Wiele, these tests often surprise companies by revealing just how exposed they are. “Internal views of security rarely match the weaknesses attackers actually see,” he said. The tests encompass a company’s entire attack surface, not just digital but physical too – or anything under the company brand.

 

“Many companies are surprised when we gain access to offline servers, as many CISOs are unprepared to deal with an attacker who gains physical access to their company’s premises. And that’s surprisingly easy to do: All you need is a safety vest and physical work order. Safety vests are better than Harry Potter’s invisibility cloak. Put it on and you can get anywhere, no questions asked.”

 

With Red Teaming Tests, organisations can:

 

  • Ensure that security controls are working and are aligned with their intended function
  • Measure the return of cyber security investments
  • Obtain an overview of how efficiently core assets or intellectual property are protected
  • Clarify if security processes need to be updated or if more security awareness training is required
  • Raise IT security awareness within relevant departments
  • Ensure that security monitoring works as intended
  • Test their ability to contain an attack

 

-ends-

 

 

*Source: http://www.pwc.com/gx/en/issues/cyber-security/information-security-survey/financial-services-industry.html

**Source: http://www.theregister.co.uk/2016/12/07/phishing_as_a_service/

 

More Information:

F-Secure Red Teaming Tests

Video: Let us in. Keep them out.

 

About F-Secure

Nobody knows cyber security like F-Secure. For three decades, F-Secure has driven innovations in cyber security, defending tens of thousands of companies and millions of people. With unsurpassed experience in endpoint protection as well as detection and response, F-Secure shields enterprises and consumers against everything from advanced cyber attacks and data breaches to widespread ransomware infections. F-Secure’s sophisticated technology combines the power of machine learning with the human expertise of its world-renowned security labs for a singular approach called Live Security. F-Secure’s security experts have participated in more European cyber crime scene investigations than any other company in the market, and its products are sold all over the world by over 200 broadband and mobile operators and thousands of resellers.

 

Founded in 1988, F-Secure is listed on the NASDAQ OMX Helsinki Ltd.

 

f-secure.com twitter.com/fsecure | facebook.com/f-secure

F-Secure media relations 

Geoff Dorrington

PR manager, F-Secure UK & Ireland

E: geoff.dorrington@f-secure.com

T: 01753 376592

 

 ###

 


Latest Events
Press Archives
Select Year

Latest Press Releases

November 16, 2017

DNS now your First Line of Defense against Cyber Attacks

F-Secure is partnering with the Global Cyber Alliance to step up the fight against malicious URLs with a secure DNS service that companies and individuals can use for free. Buckinghamshire, UK  – November 16, 2017: Every single day, F-Secure Labs discovers nearly 30,000 malicious URLs used in phishing attacks, ransomware campaigns, and other cyber attacks. […]

October 25, 2017

Study Shows 30% of CEOs Have Been “Pwned,” Passwords Exposed

Email exposure study also shows 81% of the world’s top CEOs have had their personal information exposed in spam lists or leaked marketing databases. Buckinghamshire, UK – October 25, 2017: Nearly one in three major CEOs has been “pwned” using their company email address, according to a new F-Secure study of CEO email exposure. In […]

October 10, 2017

F-Secure, University of Helsinki bring back Cyber Security Base

F-Secure and the University of Helsinki re-launch their cyber security MOOC following the success of last year’s offering. Buckinghamshire, UK – October 3, 2017: Cyber Security Base with F-Secure, an online course series developed by the University of Helsinki and F-Secure, is back for another year. Over 50,000 people from the United States, Finland, the […]

September 29, 2017

F-Secure wins AV-TEST Best Protection award for fifth time

Award reaffirms that companies which choose F-Secure’s new version of Business Suite will have proven best protection. Berkshire, UK – 1st February 2017: F-Secure has won the Best Protection award from the AV-TEST Institute for superior protection technology throughout 2016. The win makes F-Secure a five-time winner of the award and it’s the only company […]

%d bloggers like this: