Non-technical people are favorite targets for malicious hackers, from data dealing crime rings to targeted corporate espionage attacks.
As we've seen in far too many recent instances where difficult, large targets have been infiltrated and bled from within over a period of time, sometimes all it takes is one person clicking the wrong thing at the right time.
Oftentimes, these fateful entry points are created by people who have no idea what's going on; non-technical employees (or even executives) who serve as an unwitting vector for exploitation.
You can't make every employee tech-proficient, and that's troubling in an era where attacks are constant, and enterprise security endures some profound cloud, infosec hiring, and BYOD growing pains.
What you can do is learn the top ways malicious attackers exploit your weakest links, as described on each of the following pages.
Target, JP Morgan Chase, Verizon, Home Depot... the list goes on. The Identity Theft Research Center's 2014 report summary of data breaches paints a disturbing picture of 2014 to date -- as of October, there have been 606 known and reported major breaches and 77,577,208 records stolen.
The Banking, Credit and Financial sector has seen 24 breaches so far, with 1,172,320 records compromised; Business is at a stunning 211 breaches with 64,407,359 records stolen; Medical/Healthcare has also been hit hard this year with 259 successful hacks and 7,151,542 records pilfered.
As we remember from the RAND report on the hacker's black market, these records get used in many ways. As well as identity theft, the records get compiled into databases used for spear-phishing and other targeted attacks... and the cycle begins again.
Access to online content for mobile users is primarily through just two companies: Apple iTunes apps and Google's Chrome Store apps. For phone and tablet users, the internet as we once knew it is being gradually replaced by mobile apps.
Ask most Android users what malware is, and you'd likely get a blank stare -- despite the fact that 97% of mobile malware and trojans are on Android. F-Secure's Mobile Threat Report Q1 2014 was a bucket of cold water in terms of just how pervasive attacks on typical users are, and how they can spread through apps into businesses.
Add that to hacks like Snapchat's repeat performances and it's no surprise that app users are getting hacked like there's no tomorrow.
What's worse, mounting evidence shows that app makers haven't put user security first. Because even the most negligent apps -- repeat offenders like Snapchat -- aren't bring brought to heel, it's only a growing attack vector for the non-technical victim (who might otherwise take operational security precautions).
Phishing is an incredibly popular attack -- because it works. Today's typical phishing attack is an email or text message disguised to look familiar, fooling the unwitting to click on a link or download an attachment, or image.
The URLs within the message may look correct, or almost-correct, or may look right but go to a redirect page; either way the links lead to infected web pages. Sometimes the pages are hosted on the actual site's server, with the host having been compromised long ago.
One attack uses popular trends, emailing front-page news headlines as if from a friend or a newsletter. Another angle is an email that looks like it comes from a friend or a fellow employee, with a foul link, or a malicious attachment.
The bottom line is, if you're not expecting it, be suspicious. If you get an official looking email from a bank, or any other business that handles your sensitive information, go directly to the website: Don't click links in emails -- or texts.
It's been a known quantity among hackers that social engineering isn't rare in hack attacks, but the past few months have revealed to the wider public that social engineering attacks on regular people — and not only A-listers such as Jennifer Lawrence — are far more common than previously believed.
Far too many non-technical people have personal information exposed or easily findable, and don't know it -- nor do they know how it gets pieced together by malicious hackers to compromise accounts and perform identity theft.
Many don't know that information like their home address, phone number and family names are available for purchase on so-called 'people finder' websites, which are a gold mine for digital social engineering.
Password cracking is still one of the top ways malicious hackers do their smash and grab break-ins -- it doesn't help that the majority of people have been thrown into the consumer end of infosec without being told how to make a safe password.
In fact, most people:
The recent release of Dropbox usernames and passwords -- stolen across other services -- was a sobering reminder that password databases get hacked all the time.
2014 started with a bad ad bang when in January it was discovered that hundreds of thousands of visitors to Yahoo! were served malware-infected ads.
Dutch security firm Fox IT said, "Clients visiting yahoo.com received advertisements served by ads.yahoo.com. Some of the advertisements are malicious." After analysis, Fox IT said that malicious payloads were delivered to about 300,000 visitors per hour.
"Given a typical infection rate of 9 percent, this would result in around 27,000 infections every hour. Upon visiting the malicious advertisements, users get redirected to a 'Magnitude' exploit kit via a HTTP redirect."
The attacks on unsuspecting users and web surfers via poisoned ads -- likely tailored to their surfing and clicking habits -- have only increased.