Don’t Make the Mistake of Being the Low-Hanging Fruit

Posted on by Tony Bradley

Attackers are typically lazy and many attacks are automated. If you’re an easy target, you will inevitably get breached.don't be the low hanging fruit

You’ve probably heard somebody say something to the effect that they don’t worry too much about security because they don’t have any data of value or interest. Maybe you’ve even said that your business. Unfortunately, that isn’t how attacker logic works.

The mistake in this (lack of) logic is the belief that attacks follow a specific agenda. The thought process is actually pretty straightforward. Attackers perform some sort of preliminary reconnaissance to assess their targets. So clearly, once they see how boring and ordinary your data is, they won't bother with the effort. It may be true that an attacker would find little or no value in your data, and that the financial gains won't be as great. In most cases that isn’t the goal, though.

Consider a burglar who decides to target the home of a very wealthy person and develops a plan to bypass the security measures in place. Contrast that with a burglar who just walks down the street trying every door to find one that's unlocked.

There are sophisticated attacks that target specific organizations or individuals, but the vast majority of them are attacks of convenience.

Most cyber criminals are not all that tech savvy themselves. There’s an entire black market where would-be crooks can buy pre-packaged exploits and attack tools. Launching an attack is as simple as launching Microsoft Word…as long as the target systems have the appropriate vulnerabilities open and fit the criteria expected by the exploit. Most attacks are automated and simply scour the Internet in search of targets that fit the description.

Regardless of the data it contains, a compromised system is valuable in and of itself. Once an attacker is inside a network it is much easier to explore and find other systems to attack—systems that may not be accessible at all from the public Internet. Your cavalier attitude about security could enable an attacker to infiltrate the network and allow them to compromise other systems that are much more valuable. A successful attack costs money and that could have an impact on your income—or possibly even cost you your job.

A compromised system can be leveraged to distribute spam or malware as a part of a botnet. The attacker can also simply use it as a staging point for other attacks so any suspicious activity is traced back to your system rather than to the real attacker.

Don’t make the mistake of thinking you don’t need to be secure just because your job isn’t that important, or the data on your computer doesn’t seem valuable. Every user and every computer or mobile device is a potential victim. Any successful compromise can yield value for attackers and possibly enable them to gain a foothold in your network that can be used to move laterally and find other systems to compromise. 

Tony Bradley


security awareness

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs