Security is a broad topic that is only becoming broader as we become more reliant on computers for everything we do, from work to home to leisure, and our computers become more and more interconnected. Most of our computing experiences now require, or are enriched by, Internet connections, which means our systems are constantly exposed to foreign data of unknown or uncertain integrity. When you click search links, download applications, or configure Internet-facing servers, every line of code through which the data flows is potentially subject to a storm of probing for vulnerable configuration, flawed programming logic, and buggy implementation—even within the confines of a corporate network. Your data and computing resources are worth money in the Web 2.0 economy, and where there’s money, there are people who want to steal it.
As the Web has evolved, we’ve also seen the criminals evolve. Ten years ago, the threat was an e-mail-borne macro virus that deleted your data. Five years ago, it was automatically propagating worms that used buffer overflows to enlist computers into distributed denial of service attack networks. Three years ago, the prevalent threat became malware that spreads to your computer when you visit infected websites and that subsequently delivers popup ads and upsells you rogue anti-malware. More recently, malware uses all these propagation techniques to spread into a stealthy distributed network of general-purpose “bots” that serve up your data, perform denial of service, or spew spam. The future is one of targeted malware that is deliberately low-volume and customized for classes of users, specific corporations, or even a single individual.
We’ve also seen computer security evolve. Antivirus is everywhere, from the routers on the edge to servers, clients, and soon, mobile devices. Firewalls are equally ubiquitous and lock down unused entry and exit pathways. Operating systems and applications are written with security in mind and are hardened with defense-in-depth measures such as no-execute and address layout randomization. Users can’t access corporate networks without passing health assessments.
One thing is clear: there’s no declaration of victory possible in this battle. It’s a constant struggle where winning means keeping the criminals at bay another day. And there’s also no clear cut strategy for success. Security in practice requires risk assessment, and successful risk assessment requires a deep understanding of both the threats and the defensive technologies.