One of the consistently best voices addressing cyber security issues worldwide is Bruce Schneier. He is a cryptography expert and privacy advocate out of Harvard who has published many books, some of which are very technical in nature and intended for professional information security audiences . But one of his great skills is that he also writes about important and timely privacy, trust and security topics in a manner that is accessible to most lay people.
Today I am bringing your attention to a recent article he wrote for the Xconomy web site which addresses the evolving nature of computer attacks and the assumptions most people make that such attacks are merely technical or malware issues.
Turns out, the challenges in modern IT security are not so much about technology, but about people using the technology. In fact, Schneier states that “…software vulnerabilities aren’t the most common attack vector: credential stealing is.”
The article quotes the head of the NSA’s Tailored Access Operations (TAO) group as saying “…stealing a valid credential and using it to access a network is easier, less risky, and ultimately more productive than using an existing vulnerability, even a zero-day…” ( essentially a software-based cyber attack using previously unknown tools or methods).
Schneier urges computing professionals to adapt to this changing environment, but the key piece of information within the article for most regular technology users is that they are more and more likely to be the initial target for malicious actors, who are using everything they can–including social engineering, phishing, physical and psychological manipulation, and outright threats–to gain legitimate credentials to target systems or networks, including home networks.
Using the kinds of techniques perfected by stereotypical con men and the hacker culture, modern criminals are now hacking people more than they are hacking machines. And once they have YOUR work or personal login credentials, they have the same access to everything you have access to within those environments.
So this article is a good reminder for each of us to think twice any time a person or a machine asks for personal or college information, or for home or work technology credentials.
The full Bruce Schneier essay can be accessed at: http://www.xconomy.com/boston/2016/04/20/credential-stealing-as-attack-vector/
If you are interested and wish to see more of Bruce’s writings, his personal blog web site is: https://www.schneier.com/.
(Sometimes his writings are too technical for me, but he has a very practical, realistic and common sense approach to many security and privacy issues, so it is worth checking his site out for the more generalized stuff that can help you can understand all of the issues about which he writes.)