Security fail No. 2: Your firewalls provide little protection
As far as IT security is concerned, firewall protection is becoming even less relevant than antivirus scanners. Why? Because the majority of malware works by tricking end-users into running a forbidden program on their desktops, thus invalidating firewall protection. Moreover, the bad programs "dial home" using port 80 or 443, which is always open outbound on the firewall.
Most people are protected by multiple firewalls on the perimeter, on the desktop, and filtering applications. But all that bastion host-port isolation doesn't appear to be working. We're as exploited as ever.
Security fail No. 3: Patching is no panacea
For many years the No. 1 security advice you could give anyone was to do perfect patching. All software has multiple vulnerabilities and must be patched. Despite the existence of more than a dozen patch management systems that promise perfect updates, for whatever reason, it appears it can't be done.
Often times it isn't the patch management software's fault -- it's the managers. They only patch some items, but miss the most popular targets, such as Java,Adobe Reader , Flash , and more. Or they don't patch in a timely fashion. Or they don't follow up on why some percentage of their population Dosen't take the lasted applied patch, so there's always a vulnerable portion of users. Even in the best cases, getting patches out to the masses takes days to weeks, while the latest malware spreads across the Internet in minutes or hours.
Even worse, social engineering Trojans have essentially done away with that No. 1 advice. Consider this: If all software had zero vulnerabilities (that is, if you never had to patch), it would reduce malicious exploits by only 10 to 20 percent, according to most studies. If you got rid of the exploits that required unpatched software to be present, the hackers relying on unpatched software for their dirty work would move to other avenues of maliciousness , and the true reduction in cyber crime would probably be much less.
Security fail No. 4: End-user education earns an F
Since the dawn of personal computing, we've warned users not to boot with a disk in their floppy drives, not to allow the unexpected macro to run, not to click on the unexpected file attachment, and now, not to run the unexpected antivirus cleaning program. Still, it does not work.
If our end-user education policies succeeded, we would have defeated hackers and malware by now. And if recent trends are any gauge, end-user awareness is worse than ever. Social engineering Trojans, which trick end-users into running malicious programs, are the biggest threat by far. Most end-users readily give up all privacy to any application or social media portal, and they do it without any thought of the repercussions, which includes greatly increasing their likelihood of becoming a target and succumbing to social engineering.
I strongly fault the people behind most end-user education programs. In their hands, end-user education becomes a forced, unwanted childhood chore. Education is undertaken haphazardly, using spotty curriculum that usually doesn't contain information relevant to the latest attacks. Let me ask you a question: If the No. 1 way end-users get tricked into running Trojans is through fake antivirus prompts, does your company tell your employees what their real antivirus program looks like? If not, why?
That type of disconnect puts IT systems in jeopardy. On average, it takes two years for the latest threats to show up in end-user education programs and only a minute for the bad guys to switch themes, putting us behind another two years.
You know what works better than end-user education? More secure software and better default prompts. Don't expect end-users to make the right decision; instead, decide for them. Macro viruses didn't go away until the default option was not to run the macro. File attachment viruses didn't minimize until most of them were blocked and it became harder to run them in the first place. Autorun USB worms didn't go away until Microsoft forced out a patch that disabled autorunning from USB keys as a default.
