6 security advances worth celebrating

In the spirit of the Olympics, it’s time to celebrate our hard-won computer security defense advancements.

Given the endless stream of news about embarrassing hacks and data breaches, I can see why you might be skeptical. The fact is tens of millions of computers are currently exploited, nearly every company is owned, and those that aren’t could be.

But I’m here to report from the front lines: It could be worse! Security is slowly moving in the right direction. We have lots to be thankful for.

1. Broad solutions versus whack-a-mole

Nothing gets under my skin more than a new computer security solution that targets specific threats.

We already have the granddaddy of individual threat detection: antivirus scanners. After decades of using them, we’ve learned what they excel at (detecting older threats) and what they do poorly (detecting new threats). Unfortunately, the sheer quantity of new threats keeps rising. Some antimalware vendors now claim tens of millions of individual malware programs are created each month.

The good news is vendors have started developing and deploying broad solutions that can wipe out a whole class of attacks at once. For example, some operating systems, including Windows 10, offer Secure Boot options. They’re even a part of the new computer device firmware standard, Unified Extensible Firmware Interface (UEFI), which starts the protection at the chip level.

Operating and application vendors can build on that lower-level integrity and encryption to create higher-level, trusted boot and application pathways. Sure, there will still be vulnerabilities and bumps in the road, but a single fix can reaffirm the trust pathway and prevent a whole class of malware from succeeding.

When preboot and boot malware take hold, you can’t trust the modified operating system — and no antimalware program can be depended on to detect and remove the malware. Now preboot and boot protections are offered across multiple platforms, including personal computers, tablets, and smaller mobile devices. I call that success.

2. Faster patching

Buggy software is a fact of life — which means we will always have to patch.

A decade ago, many vendors would patch once a quarter or yearly, if ever. Patches for critical in-the-wild exploits could take a week or more. Today, a vendor would be run out of town for failing to patching vulnerabilities — and those patches are coming at least once a month, if not daily.

Critical zero-day vulnerabilities are often patched within hours of an announced in-the-wild exploit. Customers, too, are patching faster. Last decade it would often take the majority of customers six months to deploy critical patches. Heck, the first fast-spreading worm ever, SQL Slammer, spread around the world because the majority of SQL servers hadn’t applied a patch that had existed for almost six months. That sort of lag is far rarer today, in part because built-in routines typically apply patches within days of their release.

In fact, OS patching is now so good that malware writers and hackers almost never target OS vulnerabilities. Instead, they target popular third-party apps or rely on tricking users to run Trojans.

3. More default encryption

Nearly all operating systems and devices come with built-in disk encryption, much of it implemented by default.

More and more applications that communicate with the network use end-to-end encryption. More and more websites use HTTPS as their default protocol (over HTTP). 

All of this good encryption starts with security and integrity from the firmware on up. The first popular crypto-chip, the Trusted Platform Module (TPM), is a huge success. Built in to most computer motherboards for a few extra dollars, TPM enables computers to store their most trusted keys in the most secure manner possible.

Now that we have tons of built-in encryption, we’re never going back. The courts and laws can argue over what’s allowed, but the citizens have spoken, and encryption is here to stay.

4. Least-privilege religion

Less than a decade ago, nearly every program required local Administrator or root privileges. I remember having to make my wife a member of the Active Directory’s Enterprise Admins group so that she could start and use Intuit’s Quicken program. It was disgraceful. Back in those days, most software assumed all users would have full permissions to their systems, so they programmed their applications to work that way.

Today, any normal program asking for full privileges on any computer system is unlikely to be installed. Users and admins alike are mindful of what permissions their applications need to function. You no longer have to be an administrator to run a regular application — that, my friends, is progress.

5. More bounties

Almost every major software vendor now offers rewards for privately reporting security bugs. Good debuggers no longer have to wrestle with selling their bug to the highest bidder and wonder if it will be used for good or evil.

The majority of vendor bug bounties aren’t as high as those offered by malicious bug buyers, but ethical bug buyers still offer thousands of dollars in real cash. Bug bounties mean critical bugs are more likely to be given to the vendor for patching before ending up in the wild.

6. Stronger authentication

Password-only software and websites are fading. Today, users expect two-factor authentication: out-of-band phone checks, biometrics, smartcards, virtual smartcards, and the like. I don’t want to oversell the security impact of stronger authentication, because attackers often use methods that don’t care about the authentication method used. But stronger authentication can only help.