Sunday, June 1, 2014

5 ways computer security has truly advanced

May 27, 2014

Security isn't all gloom and doom. Amid the progress today, these four developments in particular have made us safer


5 ways computer security has truly advanced
As you may know, I like to rant about the poor state of computer security. I have reason to, because each year it appears we're losing the battle as more and more systems get exploited. We can't seem to take care of the simple stuff, like requiring better passwords or fixing DNS (who among you has enabled DNSSec?), much less the hard work it will take to make substantial improvements in the state of security.
Yet we've had some real wins -- and I don't talk about them enough. Here are some of the security advancements that have made a real difference.
[ It's time to take another look at security. Two former CIOs show you how to rethink your security strategy for today's world. Bonus: Available in PDF and e-book versions. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
1. Security defaultsUsers will almost always choose the default option when presented with a computer security decision. When I first joined the computer world, almost every computer security prompt defaulted to an answer that made the system more vulnerable. Vendors were more concerned with making their software easy to use rather than secure, even when the default significantly raised security risk.
For example, when macro viruses first appeared, almost all office applications either autoran them or prompted the user to decide whether or not to run the macro. Hit Enter and you're infected. Eventually, software vendors learned that simply changing the default to No, although it required one extra click, would prevent all sorts of security ills.
Today, almost all software comes not only with more secure defaults, but if the software prompts the user to make a decision, the default is the secure answer. One of the best examples of this is Microsoft's User Account Control (UAC) prompts. When a UAC prompt shows up, if the user ignores it or hits Enter, the program requesting elevated access will be denied.
2. Drive encryption
Certainly one of the best improvements is how most vendors offer or enforce encryption on hard drives by default. Many times it is enabled without the user even noticing. For example, if you buy a Windows 8 computer, it has BitLocker Disk Encryption enabled by default. This includes Surface devices. When a user logs on as admin the first time, their encryption key is even backed up to the cloud (OneDrive) transparently in the background, in case they need it for a future recovery.
Most other OSes either turn on disk encryption by default or have it available and recommend that it be enabled by default. This includes mobile phones and devices. Today, it is a lot harder for a bootup floppy, CD-ROM, or USB key to bypass the victim's installed OS access control mechanisms to get at the wanted data.
Many stolen laptops that would otherwise have to be reported under various regulations are exempted if the laptop has an encrypted hard drive. Of course, these same protections are frustrating law enforcement, legitimate recovery processes, and customers alike. Depending on whether you use self-encrypting hard drives, OS protection, or third-party encryption software, key management has become more important than ever.

3. SSL by default
Led by Google, most Web services now enable SSL encryption by default. Previously, for most popular cloud, email, and calendars services, SSL was either not available or had to be specifically enabled by the user. This led to widespread theft of service passwords and cookies, especially across shared wireless networks, such as those in cafes. Today all major providers have followed Google's lead.
You may wonder why it took decades after the invention of SSL for vendors to enable it by default. The reason: SSL creates a significant performance penalty, but the increasing power of hardware has made that less of an issue.
Of course, even SSL has bugs, as the OpenSSL exploit recently showed. You really should be using TLS and not SSL, as most versions of SSL are no longer considered secure. Rest assured that when you connect to the most popular websites, you're probably using TLS, although you may want to check the HTTPS connection to verify.
4. Two-factor authentication for Web logons
One of the best developments on top of the SSL by default is out-of-band, two-factor authentication (2FA). Out-of-band means that the second factor is not communicated using the same network transmissions channel as the first factor.
In most cases, this means users can choose to have a secondary PIN code sent to them via SMS to their previously defined cellphone or sent to a second previously defined email account. It's pretty great. Some sites even allow you to use 2FA only when needed, such as on an untrusted public computer.
Note, however, that bad guys and malware have been getting around out-of-band 2FA authentication for more than a decade, starting with the original bancos Trojans. I discussed out-of-band, 2FA-evading Trojans back in 2006. Yes, 2FA is great, but it's not a cure-all.
5. UEFI (Unified Extensible Firmware Interface)
Prior to UEFI, which is a replacement for the system BIOS, it was trivial for bad guys and malware to fatally injure your computing device. Intel invented the original EFI standard in 2005, and while it had almost no real security mechanisms, it was a good start.
The truly secure UEFI 2.3.1 standard was released in 2013. Systems enabled with UEFI require that all code intending to modify a computer's firmware be signed by a previously approved vendor. Otherwise the modification gets blocked.
Still, it has yet to be proven if the UEFI standard will actually result in fewer compromises. UEFI is a standardized way of configuring firmware. The old BIOS method meant that almost every different model of computer ended up with a different BIOS. Each BIOS version requires a different modification routine, which meant it was harder for malware to silently infect. UEFI's standardization could end up being its Achilles' heel.
Nonetheless, these four advances give me hope that one day we will significantly reduce computer security risks. It's taking longer to do what we know we needed to do, but step by step, we're getting there.
This story, "5 ways computer security has truly advanced," was originally published at Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at For the latest business technology news, follow on Twitter.,1

No comments:

Post a Comment