5 ways computer security has truly advanced

Roger A. Grimes

3. SSL by default
Led by Google, most Web services now enable SSL encryption by default. Previously, for most popular cloud, email, and calendars services, SSL was either not available or had to be specifically enabled by the user. This led to widespread theft of service passwords and cookies, especially across shared wireless networks, such as those in cafes. Today all major providers have followed Google's lead.

You may wonder why it took decades after the invention of SSL for vendors to enable it by default. The reason: SSL creates a significant performance penalty, but the increasing power of hardware has made that less of an issue.

Of course, even SSL has bugs, as the OpenSSL exploit recently showed. You really should be using TLS and not SSL, as most versions of SSL are no longer considered secure. Rest assured that when you connect to the most popular websites, you're probably using TLS, although you may want to check the HTTPS connection to verify.

4. Two-factor authentication for Web logons
One of the best developments on top of the SSL by default is out-of-band, two-factor authentication (2FA). Out-of-band means that the second factor is not communicated using the same network transmissions channel as the first factor.

In most cases, this means users can choose to have a secondary PIN code sent to them via SMS to their previously defined cellphone or sent to a second previously defined email account. It's pretty great. Some sites even allow you to use 2FA only when needed, such as on an untrusted public computer.

Note, however, that bad guys and malware have been getting around out-of-band 2FA authentication for more than a decade, starting with the original bancos Trojans. I discussed out-of-band, 2FA-evading Trojans back in 2006. Yes, 2FA is great, but it's not a cure-all.

5. UEFI (Unified Extensible Firmware Interface)
Prior to UEFI, which is a replacement for the system BIOS, it was trivial for bad guys and malware to fatally injure your computing device. Intel invented the original EFI standard in 2005, and while it had almost no real security mechanisms, it was a good start.

The truly secure UEFI 2.3.1 standard was released in 2013. Systems enabled with UEFI require that all code intending to modify a computer's firmware be signed by a previously approved vendor. Otherwise the modification gets blocked.

Still, it has yet to be proven if the UEFI standard will actually result in fewer compromises. UEFI is a standardized way of configuring firmware. The old BIOS method meant that almost every different model of computer ended up with a different BIOS. Each BIOS version requires a different modification routine, which meant it was harder for malware to silently infect. UEFI's standardization could end up being its Achilles' heel.

Nonetheless, these four advances give me hope that one day we will significantly reduce computer security risks. It's taking longer to do what we know we needed to do, but step by step, we're getting there.

Source: InfoWorld

Previous Page  1  2