Phishing campaigns: how scammers keep hooking victims
Phishing is something like a classic method to steal passwords and confidential user data, but it still works.
Workers still find it too difficult to detect phishing emails, and almost three-fourths of companies see that staff deliver passwords when tested by a security company.
The security consultancy Coalfire tested 525 companies its susceptibility to a variety of different piracy techniques and security vulnerabilities. He discovered that employees in 71% of these businesses delivered access credentials when they were attacked by phishing attacks by Coalfire penetration testers, compared to 63% last year.
In 20% of cases, more than half of the employees shared the login details, compared to only 10% last year.
SEE: 10 tips for new cybersecurity professionals (Free PDF)
Coalfire conducted 623 penetration tests in the US. The USA, Europe and the United Kingdom, with the aim of simulating a series of cyber attacks to assess how well companies were able to deal with them.
Weak passwords and insecure internal procedures, such as inadequate file access restrictions and lack of staff training, along with the use of outdated software, were the three most common vulnerabilities discovered during testing.
"Many companies are taking steps to update their security infrastructure, particularly as they migrate more systems to the cloud, but they still don't address some of the fundamentals," said Andrew Barratt, managing director of Coalfire in the United Kingdom.
In general, companies exhibited fewer high-risk vulnerabilities than last year's penetration tests, probably as a result of the change to cloud computing, reducing the need to secure and maintain local infrastructure. Penetration tests also found misconfigured cloud security settings.
"Many mistakenly believe that cloud adoption automatically means accepting more risks, but this is only true if done wrong," said Mike Weber, vice president of Coalfire Labs.