The Internet and email is old at this point.
It can be reasonably argued that email links are a significant threat vector right now.
So far, we just keep trying to sandbox links or scan attachments, but it’s still not stopping the threat.
My questions for comment:
- Would removing anonymity from email reduce or remove this threat? If business blocked all uncertified email senders, would this threat be gone?
- Why can’t we do PKI well after a few decades?
- Does anyone believe PKI could apply to individuals? In the context of identity for email, accounts, etc?
I see services like id.me and others and wonder why we can’t get digital identity right and if we could, would it eliminate some of the major threats?
Image credit: https://www.office1.com/blog/topic/email
Edit, post not related to the site or any service, just image credit.
Would you mind pointing me at research that demonstrates that email links are the number one threat vector right now?
I can say from personal experience that that is the case, but I don’t have any empirical evidence.
As someone who leads a major MDR and IR service, phishing was the root cause of about 7.5% of incidents last year. Exploits are #1 around 47% of incidents, followed by compromised credentials around 30% of incidents.
This only represents SME and Enterprise. Phishing likely could be #1 for individuals.
A quick Google search gives tons.
These are some of the sources that I found that support the claim that phishing is one of the top cyber security threats and vectors for 2023. I hope you find them useful and informative. 😊
Source: Conversation with Bing, 12/24/2023 (1) Introducing Cloudflare’s 2023 phishing threats report. https://blog.cloudflare.com/2023-phishing-report/. (2) Introducing Cloudflare’s 2023 phishing threats report. https://blog.cloudflare.com/2023-phishing-report/. (3) CISA, NSA, FBI, and MS-ISAC Release Phishing Prevention Guidance. https://www.cisa.gov/news-events/alerts/2023/10/18/cisa-nsa-fbi-and-ms-isac-release-phishing-prevention-guidance. (4) CISA, NSA, FBI, and MS-ISAC Release Phishing Prevention Guidance. https://www.cisa.gov/news-events/alerts/2023/10/18/cisa-nsa-fbi-and-ms-isac-release-phishing-prevention-guidance. (5) The State of Phishing 2023 | SlashNext. https://slashnext.com/state-of-phishing-2023/. (6) The State of Phishing 2023 | SlashNext. https://slashnext.com/state-of-phishing-2023/. (7) 2023 ‘State of the Phish’ - Findings Sneak Peek | Proofpoint US. https://www.proofpoint.com/us/blog/security-awareness-training/2023-state-of-the-phish-findings-sneak-peek. (8) 2023 ‘State of the Phish’ - Findings Sneak Peek | Proofpoint US. https://www.proofpoint.com/us/blog/security-awareness-training/2023-state-of-the-phish-findings-sneak-peek. (9) The Biggest Security Threat of 2023? It’s Phishing - MUO. https://www.makeuseof.com/biggest-security-threat-2023-phishing/. (10) The Biggest Security Threat of 2023? It’s Phishing - MUO. https://www.makeuseof.com/biggest-security-threat-2023-phishing/.
How do these demonstrate that email is the main attack vector?
Did you need it to say: I felt like the number one? I was basing my assessment on all the recent breach notices I’ve heard.
Maybe you can qualify the threats statistically, or from Gartner surveys.
Right now, we’re all left with people having to deal with being one click away from workstation compromise, PrivEsc, exfil. Boo.
These seem to focus on phishing. There are other threats. Phishing happens via channels other than email.
You may be right in your assessment, but this evidence doesn’t support your claim.
Why does it have to be number one?