The Sky Isn't Falling in IT Security, as Some Might Suggest

NEWS ANALYSIS: The long-held saying that "if it bleeds, it leads" holds true for information security reporting, but it really shouldn't.

security risks

Reporting on cyber-security can be a somewhat depressing endeavor—given the seemingly endless onslaught of exploits, breaches and statistics that preach doom and gloom on a daily basis. The truth, however, is that modern cyber-security is not all darkness.

Many have long heard the adage in journalism that "if it bleeds, it leads," and all you have to do is watch the nightly news to see that's true in 2015. In information security, the same is true; the big breaches, the zero-day exploits, the large statistics that claim high levels of security weakness often crest at the top of the major news aggregators and social media, as well.

My own inbox is assaulted on a regular basis with all manner of security claims, each one more outlandish than the next. Often, those claims are based on statistically insignificant surveys or vulnerabilities that, quite simply, are not exploitable.

That doesn't mean that there aren't vulnerabilities that are hyped and are actually exploitable. Case in point is the 2014 Heartbleed vulnerability, which eWEEK first covered before it was branded as Heartbleed and known as an OpenSSL Heartbeat flaw. In that case, an attacker was able to quickly make use of the flaw in Canada and was also promptly arrested.

Although there are certainly challenges in technology security today, the reality is that 2015 is much more secure than, say 1999. Back then, when the Melissa virus hit, many IT system administrators (myself included) were clueless and just didn't know what to do. In my own case, I pulled the Ethernet plug from the main Internet router in the server closet, as I had no other tools to stop the flood.

Today, it's a very different world. While information security is far from being a solved problem, there are, however, solutions in place for many problems. Operating system vendors have improved technologies, and security vendors have made billions from selling products that aim to protect organizations and their users. Perhaps more importantly, though, is that in 2015, there is a really solid understanding in the security research community of how exploits work and how to prevent them.

A few new classes of vulnerabilities in software have been reported in recent years, but what seems to be the case is that there are a number of persistent types of vulnerabilities that continue to reoccur. One such class of vulnerability is SQL injection, which enables a criminal to attack a database and potentially breach an organization's information. In the case of SQL injection, there are known defenses and best practices, which often boil down to making sure that all inputs are validated.

In the case of use-after-free (UAF) memory errors, which seem to continue to be common in Web browsers and in Web plug-in software like Adobe Flash, there is also a light at the end of the tunnel. Hewlett-Packard has done a lot of research to help prevent UAF errors, and that will improve security.

There are many other areas for security optimism, where once-pervasive threats have become non-issues. One such example is Oracle's Java, which in 2014 was the scourge of information security, representing 91 percent of attacks. In 2015, Java's story is very different, with almost no zero-day exploits and a much stronger security posture.

If security technologies are improving, why then are organizations still being exploited?

The answer to that has much to do with patching and configuration. While zero-day exploits do occur, exploit kits typically only target known exploits and are effective against unpatched systems. There is reason for optimism on that front, too.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.