10 years on: 5 big changes to computer security

This post marks my 10th year writing for InfoWorld magazine. I became a regular writer for InfoWorld by being, shall we say, persistent -- I wasn't a big fan of InfoWorld's security coverage at the time and suggested I could do better. Eventually, InfoWorld's editors agreed, and I've been posting here ever since.

Frequent readers of my blog know that I spend a lot of time complaining about the state of computer security and how little the things have changed. Now, however, is a great time to reflect on what has changed. It's been a wild ride. Certainly the threats we now face are different, but so too are the defenses.

Security change No. 1: Hacking has gone pro

When I first started in in this business, almost all threats were malware programs (viruses, worms, and Trojans) written by adolescent male pranksters. Although some malware programs did real harm, such as formatting disks or erasing data files, most simply annoyed people. You had some professional and even state-sponsored hackers, but they weren't the norm.

What difference 10 years makes.

Now almost all malware is created to steal money or corporate secrets. The script kiddies are almost gone, pushed out by the professional hacker gangs that make millions of dollars each day victimizing home users and corporations with almost no threat of being caught or prosecuted. Malware has gone from innocuous, funny viruses and worms to identity-stealing programs and ransomware.

Anyone with a credit card is accustomed to having their financial identity compromised. When 100 million records are compromised, no one bats an eye anymore. Doesn't everyone have free credit monitoring now?

Advanced persistent threats (APTs), officially or unofficially working on the behalf of a foreign government, are the new normal. They steal private documents and emails, along with patents and contracts, as easily as child would pluck flowers in a vast golden field.

Countries now routinely use their offensive cyber security capabilities to read the email of another country's leader -- or to destroy physical assets (such as nuclear centrifuges). Which country has the best hackers will determine the victors in the new cold war.

I miss the days of harmless boot viruses and teenage script kiddies.

Security change No. 2: Everyone has been compromised

Today, everyone has been hacked. This is no exaggeration. Every company worth hacking is hacked or could easily be hacked. This has created a new defensive strategic paradigm called "assume breach," where we acknowledge that there's no way we can eliminate persistent threats.

In truth, it has always been this way. We've never been good at keeping the bad guys out. All that has changed is that we're admitting it to ourselves. When you assume there has been a breach, that changes your defensive strategy.

Security change No. 3: Breach detection tools have improved

Once antivirus scanners were our main tool for breach detection. Now, an entire new slew of companies and products have been developed to detect when somebody's doing something malicious, even if that something malicious is being done by a "legitimate" user.

Event monitoring systems are improving. Many companies are now storing and analyzing billions of events a day, using huge disk storage arrays that a short time ago would have stored the world's entire collection of digital content.

Intrusion detection has moved beyond detecting simple malicious activity to detecting anomalous events that are out of character for a company and its employees. Connections to known, questionable networks are tracked and reported like the antivirus detections of yesteryear. Data leak protection (DLP) has become big business.

A decade ago, companies became practiced at shutting down their email servers and networks when the latest file attachment worm proliferated on the network. Today's defenders are creating hardened administrative computers and isolated management environments that can be used to manage their networks when a breach is detected.

Although there are notable exceptions (such as Sony Pictures), computer infrastructure and the Internet have become so integral to business today, rarely is a whole company taken offline in response to even the biggest threats. Today's defenders have to fix the hemorrhage without killing the patient.

Security change No. 4: Multifactor authentication proliferated

When I first started in computer security, only the government or top secret research facilities forced employees to use smartcards or other multifactor authentication tools. Now I see this at nearly every company I visit. Plus, most companies have great physical security, starting at the visitor's desk and parking lot -- and computer rooms are behind locked doors with the servers in locked cages.

Everyone still has lots of passwords, but most businesses and the most popular social media sites now offer two-factor authentication. Mobile phones and popular operating systems come with biometric identification by default. Eventually, passwords alone will stop being used altogether, receding into history like paper checks or credit cards without your picture and a chip.

I don't think multifactor authentication will solve all our problems, but it makes it harder for cyber crooks to steal and use your identity. Look for phishing emails and websites to disappear completely. We're headed there now.

Security change No. 5: Encryption is becoming the new default

Default encryption is on the rise despite nearly all governments protesting it. Today, most popular operating systems, computers, and mobile devices come with built-in, default-enabled disk encryption. More and more websites are using SSL (really TLS) encryption by default.

Police and government agencies are trying to scare us into getting rid of default encryption or enabling backdoors in the name of stopping child molesters and other criminals. Most people aren't buying it.

Default encryption will mean that when a computing device is stolen, no longer will it turn into a data compromise that must be reported to the authorities (and the media). The bad guys and unauthorized parties will be listening into our private conversations and transactions much less.

The key question to be answered over the long run: What if the authorities are right? Will badness shielded by default encryption overwhelm all the privacy goodness? I don't think so. The really bad guys already have access to and often use strong encryption, and in most cases the authorities still find them and lock them up. The only difference is that people who use encryption for legitimate privacy reasons will also get the protection.

A better world?

Unfortunately, all these defense improvements haven't yet translated into a safer computing environment. There are far more malicious attacks today than there were 10 years ago. "Improvements" in cyber crime have so far completely overwhelmed the advances in cyber security defense.

But I thoroughly believe that the defenses will catch up and eventually make the Internet a much safer place. It's the natural progression of every civilized society, with the same bumps along the way. For a while things get worse, but society responds, and the world advances for the better.

The only question I have: When will it happen? If I'm lucky enough to be writing for InfoWorld 10 years from now, will I be writing more about the successes or the failures? What's your opinion?