To Keep IT Assets Secure, Pay Attention to the Simple Things

What are the greatest threats facing the software industry today? Hint: They're not foreign spies or 400-pound programming prodigies. A look back at some of the biggest cybersecurity attacks of 2016 reveals that the most serious threats remain simple and unsophisticated — even though people keep falling for them.

Consider the following three major cybersecurity attacks and flaws that took place in 2016:

• The Democratic National Convention email leak. This attack was facilitated in part by convincing the Clinton campaign's chairman to click a malicious link in an email — the kind you probably have coming into your spam folder all day long. This was a classic phishing attack. As hacks go, it was not a particularly difficult one to execute.
• The Dyn DNS outage. Hackers were able to carry out this attack, which shut down a number of major websites for a day in October, by breaking into Internet-of-Things (IoT) devices that were poorly secured by the manufacturers. The attack used malware to guess passwords on devices whose default passwords were publicly known. You don't have to be a cybersecurity genius to carry out an attack like this. You just need to know how to run the script that guesses passwords, then execute a basic DDoS attack with the devices you compromise.
• QuickTime's security holes. A couple of major security flaws were discovered last year in Apple QuickTime. The revelation prompted Apple to stop supporting the platform — making QuickTime a security vulnerability for anyone who still has it on his computer. The QuickTime affair created an easy opportunity for hackers. But it was created not by stealthy, expert programming, but by the simple decision of a major company to stop supporting a widely used platform.

The method behind each of these attacks or flaws was different. Yet in all cases, the attacks or vulnerabilities were made possible by relatively simple and basic security flaws.

Lessons for the Channel

What does that mean for the channel? It means that, while it's still important to defend against the truly sophisticated hackers who are out there by deploying software designed to stop them, keeping your IT assets secure also requires thinking about vulnerabilities that are so basic they can be easy to ignore.

Educating users about phishing, avoiding devices with inherent security flaws like passwords that can be guessed and uninstalling unsupported software are all things you probably learned about years ago. But they are still important today, even as much more sophisticated types of attacks have emerged. Ignoring the smallest of vulnerabilities can lead to the biggest of hacks.