6 hard truths security pros must learn to live with

Nearly every company in the world has thousands of vulnerabilities that hackers can easily exploit. For anyone working in IT, this is not a bombshell announcement. It's business as usual.


Lack of focus on the right risks

But the biggest problem with computer defense may be the inability to appropriately prioritise competing risks. Some of the hundreds of possible ways to exploit a company are far more likely to happen than others. This makes for a huge gulf between your highest-rated threats and your most likely ones. Success belongs to those who focus their security efforts more often on the latter.

I frequently ask IT security personnel to list every computer security defense they're implementing at their company, the money spent, and the staff resources dedicated to each project and operation. I then ask them to tell me the most common ways their company is exploited. Rarely do I hear two answers that are the same. If the IT security employees don't agree on what's wrong, how can you efficiently defend your environment?

More often than not, the No. 1 problem is unpatched software, and the No. 2 problem is social engineering. In the case of unpatched software, it's usually only one to three unpatched applications, out of the hundreds you need to patch, that are responsible for most exploits by outsiders. But how many companies focus on patching those few applications perfectly, to the expense of most nearly everything else? Almost none.

If social engineering is the No. 2 problem, how come all user education programs operate on a shoestring budget? I've yet to see a user education program that truly, and routinely, teaches employees about the latest threats and how to avoid them. Most education programs are stuck in the past, offering solutions that would have worked moderately a decade ago.

Very few programs tell users what the company's real antivirus programs are or look like, so how can they be sure to avoid responding to a fake one? Very few programs tell employees that they are more likely to be infected by a website they trust, let alone remind them not to run unexpected executables from any Web page. How many programs inform employees of the most frequent exploits fellow co-workers fall prey to, and how to avoid them? If your program does, send me a copy, so I can say I know of one company that does it right.

No solution addresses the real root of the problem

Each security solution you buy addresses a particular set of threats on a particular set of platforms. Each tries (imperfectly) to thwart a certain problem sticking its head out of a particular hole. Meanwhile, the nimble hacker moves to the left and starts a new hole. It's a game of digital whack-a-mole that defenders will never win.

But behind each attack is a single basic problem that remains unresolved: pervasive anonymity on the Internet. Anyone can send you an email claiming to be anyone else. Anyone can send network packets that your servers will consider or pass along. Anyone can claim to be anyone, by default. This means that evildoers are harder to identify and prosecute. As long as this is the case, we will never defeat malicious hackers.

There are ways to get rid of pervasive anonymity without revealing everyone's true identity in every instance. There are many instances in which absolute anonymity should be guaranteed, as many forums and circumstances absolutely benefit by some or all the participants being anonymous. This is a basic truth of society.

At the same time, I would prefer to never receive an email from someone whose real identity hasn't been verified. Anonymous emailers too often indulge in mean and bullying behavior. I've received death threats for pointing out that Apple computers have more known vulnerabilities than Windows computers. Enter the terms "quits twitter" in your favorite search engine and you'll find copious incidents of people opting out of social media due to bullying or threats of physical harm to their family members. Being able to reject email from people whose real identity hasn't been verified may not eliminate that kind of behavior entirely, but it would seriously curtail it.

More than that, if we had a way of allowing various parties to easily agree on the level of anonymity allowed or not allowed in a particular transaction, Internet crime would likely plummet as well, as being able to identify and prosecute Internet criminals would finally become possible.

Of course, no single solution can fix this issue. It would take a concerted effort on the part of not only security solution providers but the Internet at large. But we all have ample incentive to take part in such an effort. Bandwidth free of denial-of-service attacks, spam a relic of the past, malware on the wane -- it can happen, when we focus on the right defenses.

Advanced Threat Protection: A strategic approach against an increasingly sophisticated threat. A ComputerworldUK event, Glaziers Hall London, 14 May. Register here.

"Recommended For You"

Security org raises Internet threat level after seeing expanded IE attacks Microsoft will patch IE zero day but doesn't give timeline