Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

2009 marked another bad year for IT security

By Roger A. Grimes | Dec. 21, 2009
Despite some improvements in patching and mail security, we've made very little progress stopping cybercriminals.

But again, I can't help but be a Scrooge about the whole year. No matter what the security gains were, the hard reality is that users are being exploited more than ever, and often by their own hands (e.g. the exploit didn't need an unpatched piece of software to do its dirty business). Most users are exploited by being tricked into installing malicious software disguised as an antivirus scanner, needed software patch, or video codec.

We catch almost no one. Any headline claiming that we've captured or prosecuted some uber hacker is almost never correct. The caught criminals are almost always minor players in today's world. If they get prosecuted, the fines are usually pretty minor (for the money they've stolen), and the jail sentences so short they don't serve as a future deterrence.

Bot-net creators operate with near impunity. Heck, some of the cyber criminal gangs are so huge and well known they have multi-page Wikipedia entries. See http://en.wikipedia.org/wiki/Russian_Business_Network as an example. The evidence available against the Russian Business Network is available for anyone's review. It's more public evidence than we've ever had against a mafia organisation and yet there has never been a single RBN member prosecuted. Bank account-stealing Trojans are on the rise.

Worse, I haven't seen a solution coming out in the next year that is likely to change any of these facts. In 2010, I expect end-users to continue to lose hundreds of millions of dollars to malicious hackers.

But I'm not here just to complain without offering solutions. There are existing solutions that can significantly reduce security risk, such as Microsoft's End-To-End Trust initiative or Trusted Computing Group's standards, but it takes a planetand apparently a tipping-point eventto make it happen. I am encouraged by President Obama's cyber security initiatives, but the wheels of government turn even more slowly than the commercial sector without a public outcry.

For now though, continue to fight the best fight you can against malicious hackers and malware.  The three best pieces of advice that I can give to any reader to protect their computers are:

1. Try not to get tricked into installing software, however you can accomplish this. If you can do this better, you almost don't need to do anything else.

2. Don't be logged in as administrator or root most of the time.

3. Make sure your OS and applications are patched in a timely manner.

Do these three things well and you'll be more secure than 99 per cent of the rest of the computer world. Do these three things poorly and no amount of advanced security solutions (e.g. firewalls, IDSs, anti-malware solutions) will save you.

 

Previous Page  1  2  3  Next Page 

Sign up for Computerworld eNewsletters.