You’ve seen the TV show before. A shadowy miscreant in a black hoodie is furiously typing away at a keyboard, illuminated only by the glow of the monitor. Suddenly, a dialog box pops up: “ACCESS GRANTED.” The attacker has successfully hacked the mainframe. Unfortunately, Hollywood’s portrayal of “hacking” doesn’t quite match up with the challenges of cybersecurity these days.
When you study the attacks of recent years, a familiar pattern starts to emerge. First, the attacker sends out a phishing email. Far from the easily detected Nigerian prince-style emails of the early 2000s, these emails are very deceptive, realistic looking, and convincing. There is usually a panic-inducing call to action, warning the recipient that if they don’t click the link or open the attachment, their account will be lost forever. Victims that fall for the scam are then tricked into providing the attacker with their user account and password. Since so many of us reuse the same password in multiple locations, the attacker can now use your credentials to log on to any service you use.
The crown jewel for the bad guys is your email address. Since your email is used for correspondence to confirm accounts, purchases, and/or changes, if they can take control of your email address, so many other attacks then become possible. In the case of compromising a business, university, or hospital, the attacker uses the stolen credentials to pivot around the network, looking for an opportunity to elevate their privilege to a higher level so that they can compromise critical infrastructure.