6 hard truths security pros must learn to live with

Nearly every company in the world has thousands of vulnerabilities that hackers can easily exploit. For anyone working in IT, this is not a bombshell announcement. It's business as usual.


Hackers can change tactics on a dime

Defenders, by definition, are reactive, and in the computer world, this makes us that much slower than attackers. It takes IT and the security industry about two to three years to sufficiently address a new threat. Attackers will have moved on to new or slightly different attacks well before then.

In the late 1980s when boot viruses were all the rage, it literally took years to get out the message that users should pop out their floppy disk before rebooting their computer. In fact, boot viruses didn't go away until the demise of the floppy drive. Now we have USB autorun viruses doing the same. Macro viruses hit us with a vengeance in the 1990s, and it took a decade to tell people to not open every file attachment, especially if it was unexpected. We're still trying to get people to understand that message.

All attackers have to do is slightly modify their techniques and they're successful again. For example, we warn people about fake antivirus messages, and they get fooled by a fake disk-compacting program. We warn people about patching their OS and attackers move on to popular browser apps.

Today, most attacks are launched from exploited websites. You're more likely to be exploited from a website you trust and visit every day than from a porn site. Now we're trying to tell people not to run the link or executable they've been offered in their browser window or not to give their logon credentials to people who send emails. I wonder how long it will take for us to effectively teach and learn these current lessons.

We haven't learned how to stop attackers from exploiting our PCs, and they're already moving onto our mobile devices. Nearly every threat we had in the PC world is being repeated in the mobile world. Worse, we're very bad at transferring lessons learned on one platform to another. It will only get worse as the Internet of things (IoT) accelerates. Smart televisions, cars, toasters, clothing -- everything will be targeted for attack.

Advanced Threat Protection: A strategic approach against an increasingly sophisticated threat. A ComputerworldUK event, Glaziers Hall London, 14 May. Register here.

Next section: Lack of focus on the right risks

"Recommended For You"

Security org raises Internet threat level after seeing expanded IE attacks Microsoft will patch IE zero day but doesn't give timeline