In the just-released 2016 Black Hat Attendee Survey, phishing far-and-away topped the list for the type of attack that scares security professionals today. This survey of 250 Black Hat attendees took place at last week’s Black Hat conference in Las Vegas.
Asked which threat or challenges are of greatest concern to them, 46% of attendees chose “Phishing, social network exploits, or other forms of social engineering,” making it the top answer. Second on the list was “Sophisticated attacks targeted directly at the organization” at 43%. It happens that the majority of those sophisticated attacks depend on spear phishing as a part of the attack lifecycle, typically as the entry point. Considering that the third item on the list sits at a mere 20% and they go down from there, it clear that phishing is a major concern to the large enterprise security specialists that attend Black Hat.
Senior execs aren’t all that different, with sophisticated attacks in the top spot (33%), followed by industry and regulatory compliance (28%), and then phishing and other social engineering attacks (24%).
They expect this problem to continue as well. Asked to predict their main sources of concern in two years, not surprisingly Internet of Things jumped to the top at 28%. But next came espionage or surveillance from foreign governments or competitors and sophisticated, targeted attacks, both at 24%, followed by phishing at 20%. Since attacks from foreign governments are simply another form of sophisticated, advanced attack, phishing plays its expected role in these attacks as well. That means three of the top four anticipated threats are dependent on phishing.
If we ask ourselves why phishing is such a problem for IT, we may find the answer in figure 5.
Survey respondents describe the weakest link in security as end users who violate security policy or are fooled by social engineering. I have discussed earlier on this blog how (and why) training employees not to fall for spear phishing attacks does not work in the absence of additional help for the end users. The responses to this question support the same conclusion.