Friday, January 13, 2006

Computer security: still sucky after all these years

The title above links to an interesting article at SearchSecurity.com, indicating that, despite all the attention given to computer security these days, attacks continue unabated. It's not clear from the article if they're distinguishing between attacks made and successfully compromised systems; for instance, the article mentions port scans, which are not indicative of security holes in and of themselves.

It's really astounding to me that this is still such a problem in corporate settings. Anyone thought of demanding secure software? Have any major customers gone to Microsoft and threatened either legal action or a wholesale move to Linux if Windows isn't secured within some reasonable time schedule? Meanwhile, developers continue to add "features" to their software to improve the "user experience" that also improve the cracker experience.

Then there's the basic security measures any company can take, like not allowing users to install software (separate administrator accounts) and disabling features that allow software not installed on the computer to run (CD autorun, various scripts and macros embedded in emails or files, etc). And, in addition to the article's suggestion of thorough background checks on employees, might I suggest treating employees well, so they like the company and won't want to do bad things to it?

And here's the FBI's attitude towards computer crime:

Computer related crime is the third-highest priority in the FBI, above public corruption, civil rights, organized crime, white collar crime, major theft and violent crime.
Does anyone else feel that this is a bit out of whack?

Topics: .

No comments:

Post a Comment