Security involves awareness. That is probably the most critical aspect. The majority of people know how to safely operate a motor vehicle, but nobody is teaching the majority of people how to safely operate a computer. We need corporations to have good security awareness programs in place. We tell people to keep their distance from the car in front of them, we still remind them to wear seat belts. So why not keep telling people to browse safe sites and don't open e-mail from strangers?
It's also a policy issue and a management process issue. If you establish a secure baseline for security processes across your organization, if you have secure configurations from the start and your ISPs block traffic that should not be there in the first place, most of the problems go away.
But often management is not working with security people to understand what's available to them. I advise people, "Let's figure out where you should be first, the ideal circumstance, what kind of process and technology you need in an ideal world. Then step back and see where you are, and come up with a plan to get you where you should be in a given period of time."
Generally, this is an inexpensive process with big rewards.
There is a ramp-up cost in training and implementation and an acquisition cost of subscribing to something like a vulnerability scanning service. When the process is in place, however, even routine maintenance becomes a way to make sure the security technology is implemented and updated. Once you get over that hump, once the management process is there, then it just goes down to how the administrators configure and maintain the systems they are responsible for. You will be able to get a big effect from low-tech protections that can be mass-produced and mass-distributed.
The human aspect remains very relevant, but at the same time there are technological measures that can counter operational, physical and personnel vulnerabilities. Technology is often a fail-safe. For example, if someone social-engineers away a password, token-based authentication makes the problem almost nonexistent, because getting the token for that moment in time allows just a one-time break-in. They would have to get the token again and again to go any further. It's a technical process to stop bad human password-security practices and enforce security awareness. Things like biometrics also work very well.
Beyond your emphasis on the low-hanging fruit, technology keeps evolving. Are we moving to an age of sci-fi security systems?
Because of my background and, for want of a better word, my notoriety, I get contacted by venture capitalists and people with new technologies on a regular basis. It's comforting to see some of what is coming down the line. I see biometrics being used more frequently. I think we'll start seeing more of that in the use of checks and credit cards, and people will start doing it as a habit. Banks will enforce the use of biometrics to cut down on credit card fraud. Smart cards will also be a very good thing. For the Internet, we are going to need some authentication structure where ISPs or other bodies act as authentication authorities between Internet sites.
That will get us exponentially beyond where we are now.
However, we're still in an arms race with the bad guys. If there's money to be made, the bad guys will find some way around it. We're starting to see a specialized niche of virus writers doing things for profit, writing things like bots, which allow computers to be controlled remotely, and spyware. Previously, they were just used as distribution points for denial-of-service attacks and spam. Now we are seeing people use bots to steal information.
So you need to keep moving. If we implement an authentication system that delivers an exponential cut in the amount of fraudwhenever you implement a really good technology, it puts the bad guys three steps behind. And you don't stop. Hopefully, they'll start stealing credit cards from other countries.