When I first started in information security the Internet was truly the wild, wild west. Security was something no one considered, computers were wide open and almost any system was easy to attack. Computers by default had almost all their services enabled and no firewall to protect them. All an attacker needed to hack a computer was remotely scan for vulnerable systems and launch the 'exploit du jour'. In fact that is precisely what hackers did, launching automated scripts or even worms such as Code Red, Sadmind or SQL Slammer, compromising millions of systems. In August of 2004 that radically changed. Windows XP Service Pack 2 was released, enabling firewalls on XP systems by default. Since then we have made tremendous technical improvements to securing the end point, including automatic updates by default, minimized services by default, and even anti-virus for free. All of these steps were intended to make it much harder for cyber criminals to hack systems. And in some ways, it worked. Just think, it is 2010 and how often do we see worm outbreaks?** Unfortunately, these technical controls did not slow threats down, the bad guys simply changed tactics (which is something they are VERY good at). Instead of remotely scanning and hacking computers, attackers went for the newest weak link, the human. Think about it, most attacks now a days target the human, such as getting people to click on a link, open an attachment or submit their information online. Take a brand new Windows 7 computer and by default it is pretty damn secure. Things only become risky when a human starts using it.
Thus my frustration. For the past ten plus years the security industry has focused on primarily technical controls, which we are getting pretty good at. However, we spend very little time on how to secure the human element. Don't believe me? Just check out your local security conference and count how many technical talks there are compared to human talks. This is why I feel we will see successful attacks continue to rise and will not get better unless we also start addressing the human issue.
In many ways, when it comes to securing the human it is 2001 all over again.
** Okay, I know some of you are dying to say, 'But what about Conficker'? While Conficker was a relatively recent worm that did exploit a remote vulnerability (SMB service), it did not really exploit systems in large numbers until it added two additional infection vectors in later variations, specifically infection by USB sticks and file share brute forcing, both exploiting vulnerabilities in humans.