Mimecast talks social engineering, and how your organisation can be compromised in just 82 seconds

And email is still the path of least resistance

It takes just one minute and 22 seconds to break into an organisation's IT system, with email still being the path of least resistance for social engineering attempts.

This is according to Mimecast's cyber security strategist, Orlando Scott-Cowley, speaking at Computing's IT Leaders Summit last week.

Reminding delegates of a particularly savage few years of cyber attacks just gone, with victims including Nationwide, HMRC, Sony, Ashley Madison and Mumsnet, Scott-Cowley stated that dangers increasingly come from attackers infiltrating networks looking for data to sell quickly and as cleanly as possible on the black market.

"Now, it's all about selling data," he said. If your network is collecting user data, it becomes a much more attractive target.

"There's websites on the darknet and if you know how to get to it, you can buy accounts for all sorts of services - credit card dumps, anything you like," said Scott-Cowley.

But there's also a "silver lining" in this method, he pointed out.

For every 40 million credit cards stolen - such as those in the past year - only an estimated one to three million are valid for sale before banks cancel them.

"However, there's still money in that, and an estimated $53.7m was still made," Scott-Cowley pointed out, suggesting that though the yield is low - and potentially getting lower - from stolen cards, it can still be worth infiltrators' time.

Scott-Cowley suggested that research shows it takes only one minute and 22 seconds to get into an organisation. "Email is the easiest way into an organisation," he continued.

"It's remote, simple, it only needs a couple of lines of text, and we all trust it; it has become the best way in. People will click on that link or attachment without questioning it at all."

With 95 per cent of network breaches starting with a phishing attack, according to Scott-Cowley, and 11 per cent of attacks involving convincing end users to download an attachment, he reminded delegates that awareness is still the best way to combat threats.

"[An email] appears to be from the CIO or the CEO, and it contains a PDF. What could be the harm? But we know there's lots of ways to compromise a PDF," he said.

PDFs, of course, can contain embedded files - particularly executables in the form of .exe files - and according to MalwareTracker.com, 22.9 per cent of infected PDFs contain just this. But it's JavaScript, which a massive 71.5 per cent of infected files contain, that is the real aggressor. Both malicious executables and JavaScript can easily hijack browsers or systems, and quickly.

As for USB sticks, Scott-Cowley advised that under no circumstances should they picked up off the ground.

While they seem like a nice thing to find, sticks could easily contain malware.

Cyber security stalwart and CTO at Resilient Systems Bruce Schneier has been talking about this phenomenon since 2011, when the US government deliberately planted USB sticks in car parks and 60 per cent of people ran them in computers, with 90 per cent installing their software if they sported "official logos".

Schneier's issue, he has said, isn't that "people are idiots", but more that operating systems automatically trust whatever is plugged into a system.

"Quit blaming the victim. They're just trying to get by," he wrote in 2011.

But five years later, Scott-Cowley describes the USB stick approach as his "favourite", and that it still "works a treat".

Scott-Cowley compared the modern security loadout of the average company as often - punctuated by a photo slide of a single, overweight man with a whole armoury of weapons - having all the correct tools and equipment, but none of the personnel training to use it.

"Within the business, we can't ignore the fact that our users do things we tell them not to do," he concluded.

And with any data breach costing an average of $6.5m per attack, it really is time that end users wise up to the real world dangers that, in many cases, security managers still can't fully protect against.