As you may know, I like to rant about the poor state of computer security. I have reason to, because each year it appears we're losing the battle as more and more systems get exploited. We can't seem to take care of the simple stuff, like requiring better passwords or fixing DNS (who among you has enabled DNSSec?), much less the hard work it will take to make substantial improvements in the state of security.
Yet we've had some real wins -- and I don't talk about them enough. Here are some of the security advancements that have made a real difference.
1. Security defaults
Users will almost always choose the default option when presented with a computer security decision. When I first joined the computer world, almost every computer security prompt defaulted to an answer that made the system more vulnerable. Vendors were more concerned with making their software easy to use rather than secure, even when the default significantly raised security risk.
For example, when macro viruses first appeared, almost all office applications either autoran them or prompted the user to decide whether or not to run the macro. Hit Enter and you're infected. Eventually, software vendors learned that simply changing the default to No, although it required one extra click, would prevent all sorts of security ills.
Today, almost all software comes not only with more secure defaults, but if the software prompts the user to make a decision, the default is the secure answer. One of the best examples of this is Microsoft's User Account Control (UAC) prompts. When a UAC prompt shows up, if the user ignores it or hits Enter, the program requesting elevated access will be denied.
2. Drive encryption
Certainly one of the best improvements is how most vendors offer or enforce encryption on hard drives by default. Many times it is enabled without the user even noticing. For example, if you buy a Windows 8 computer, it has BitLocker Disk Encryption enabled by default. This includes Surface devices. When a user logs on as admin the first time, their encryption key is even backed up to the cloud (OneDrive) transparently in the background, in case they need it for a future recovery.
Most other OSes either turn on disk encryption by default or have it available and recommend that it be enabled by default. This includes mobile phones and devices. Today, it is a lot harder for a bootup floppy, CD-ROM, or USB key to bypass the victim's installed OS access control mechanisms to get at the wanted data.
Many stolen laptops that would otherwise have to be reported under various regulations are exempted if the laptop has an encrypted hard drive. Of course, these same protections are frustrating law enforcement, legitimate recovery processes, and customers alike. Depending on whether you use self-encrypting hard drives, OS protection, or third-party encryption software, key management has become more important than ever.