Thursday, July 22, 2010

2009 marked another bad year for IT security



Long-time readers know of my annual tradition of reviewing the improvements (or really, the lack of improvements) in the IT security world over the past year. This year had its share of good stats tempered by a hefty dose of stark reality.
Let's start with the good news: Most computing devices and software became more secure in 2009. Increasingly, more vendors are starting to take computer security and patching seriously. Companies are making critical security patches available faster than in past years (across all platforms). More end-users are using auto-updating mechanisms to patch their OS and applications. The number of computers being applied with critical security patches is up. Responsible disclosure is up. Irresponsible, full disclosure is down. (See Figure 27 in the Microsoft Security Intelligence Report for the company's stats).
[ Find out how to avoid Adobe's new Reader attack. | Take a break from security woes to check out 10 zany USB devices. ]
The bad news on patching? Well, the fact that it's still so frequently and desperately needed across all OSs, all browsers, across nearly every very popular program. No one is expecting perfect code with zero vulnerabilities found over time, but it would be nice for patching to become a less regular event.
The average end-user still has 12 unpatched programs on his or her machine, according to my security vulnerability-finder fav Secunia. The average end-user patches his or her OS and doesn't patch his or her browser add-ins, which are the ones most likely to allow malware onto a system.
Good browser news: Most browser developers started implementing (or strengthening) anti-phishing and anti-malware detectors. None of the implementations are perfect, but at least it gives another free defense-in-depth tool. All the popular browsers improved their cross-site scripting (XSS) defenses, along with a myriad of other browser defenses. Kudos to Firefox for looking for and warning users about older, unpatched popular add-ons.
Spam is a mixed bag. Spam, as a percentage of global e-mail, is as high as ever, at over 80 percent.  However, most users are receiving less than a handful of spam messages in their inbox each day. If you're getting more than a handful, you don't have the right anti-spam tools implemented.
In a welcome relief, we didn't have any huge rapid, mega-outbreaks in 2009. Conficker was a widely spreading malware program, infecting over 10 million machines. It was nothing to sneeze at, but it was not the rapid-spreading, everyone-is-infected-in-a-day type of worm such as MS-Blaster or SQL-Slammer. Although like all the previous types of very popular worms, patches were already available before the malware program's release, but often not applied.
As expected, malicious hackers started to target social networking sites in a big way. Some of the biggest attacks were against MySpace, Facebook, and Twitter users. This trend will probably only grown. Hackers attack what is popular.
On the positive side, for the tenth year in the row the expected besiegement of mobile phone malware didn't happen. Sure, there were mobile phone worms and Trojans, but we read more stories about them than actual infections.
But again, I can't help but be a Scrooge about the whole year. No matter what the security gains were, the hard reality is that users are being exploited more than ever, and often by their own hands (e.g. the exploit didn't need an unpatched piece of software to do its dirty business). Most users are exploited by being tricked into installing malicious software disguised as an antivirus scanner, needed software patch, or video codec.
We catch almost no one. Any headline claiming that we've captured or prosecuted some uber hacker is almost never correct. The caught criminals are almost always minor players in today's world. If they get prosecuted, the fines are usually pretty minor (for the money they've stolen), and the jail sentences so short they don't serve as a future deterrence.
Bot-net creators operate with near impunity. Heck, some of the cyber criminal gangs are so huge and well known they have multi-page Wikipedia entries.  Seehttp://en.wikipedia.org/wiki/Russian_Business_Network as an example.  The evidence available against the Russian Business Network is available for anyone's review. It's more public evidence than we've ever had against a mafia organization and yet there has never been a single RBN member prosecuted. Bank account-stealing Trojans are on the rise.
Worse, I haven't seen a solution coming out in the next year that is likely to change any of these facts. In 2010, I expect end-users to continue to lose hundreds of millions of dollars to malicious hackers.
But I'm not here just to complain without offering solutions. There are existing solutions that can significantly reduce security risk, such as Microsoft's End-To-End Trust initiative or Trusted Computing Group's standards, but it takes a planet -- and apparently a tipping-point event -- to make it happen. I am encouraged by President Obama's cyber security initiatives, but the wheels of government turn even more slowly than the commercial sector without a public outcry.
For now though, continue to fight the best fight you can against malicious hackers and malware.  The three best pieces of advice that I can give to any reader to protect their computers are:
  1. Try not to get tricked into installing software, however you can accomplish this. If you can do this better, you almost don't need to do anything else.
  2. Don't be logged in as administrator or root most of the time.
  3. Make sure your OS and applications are patched in a timely manner.
Do these three things well and you'll be more secure than 99 percent of the rest of the computer world. Do these three things poorly and no amount of advanced security solutions (e.g. firewalls, IDSs, anti-malware solutions) will save you.
With all of this said, I'm hoping 2010 will surprise me. I'd like nothing more than to write a column talking about real, lasting improvement made in the computer security world.  It's depressing that I could apply this column to any year end over the past two decades.
This story, "2009 marked another bad year for IT security," was originally published atInfoWorld.com. Follow the latest developments in security at InfoWorld.com.