Perceptions of Security
The US presidential election and the multitude of related hacking incidents, leaks and IT scandals have thoroughly moved IT security into the mainstream.
Unfortunately, the public perception of hacking still lacks far behind.
News coverage and common narrative tells of extreme sophistication, the exploitation of thus far unknown vulnerabilities and in-depth attacks on the very logic of cryptographic algorithms.
And certainly, these capabilities exist to some extent in the various parties involved. What is important to understand however is that these kinds of techniques are used extremely rarely. The vast majority of cyber attacks are carried out with significantly less sophistication.
The number one attack vector remains the use of weak passwords. Any word found in a common dictionary - no matter how rarely used - is unfit to be a password and can be cracked within seconds at worst and hours at best. Weak passwords led to several of the high profile leaks during this election. Perhaps worse, the Mirai botnet which took down the Dyn DNS hoster and caused widespread internet outages last week spreads by guessing weak passwords of IoT devices.
The second largest attack vector is so-called social engineering: Convincing a regular person to assist the attacker by means of social manipulation. This could take the form of an email from a supposed aide containing a seemingly innocuous attachment, a frantic call from someone pretending to be a company’s customer asking to reset a password or someone unauthorized walking through security screenings with a group of employees returning from lunch. The possibilities are quite literally endless.
While firewalls, ACLs, hardening and monitoring do improve an organization's security and while many vendors’ solutions promise (virtually always inaccurately) “security in a box”, simple steps taken on the individual level like using strong passwords, avoiding password reuse and exercising caution when dealing with IT systems are perhaps the most crucial shield for any IT environment.
Organizations are advised to educate their staff and establish reasonable policies to ensure these requirements are met.