Tuesday, May 10, 2016

Security is actually improving

So says Robert Graham, who created one of the early intrusion detection systems:
Critical software is written to day in a vastly more secure manner than it was in the 1980s, 1990s, or even the 2000s. Windows, for example, is vastly more secure. Sure, others are still lagging (car makers, medical device makers), but they are quickly learning the lessons and catching up. Finding a vuln in an iPhone is hard -- so hard that hackers will earn $1 million doing it from the NSA rather than stealing your credit card info. 15 years ago, the opposite was true. The NSA didn't pay for Windows vulns because they fell out of trees, and hackers made more money from hacking your computer.
What we're seeing is a shift in the attack target: Point of Sale systems, ATMs, embedded devices.  Or a shift in the attack channel: Target got hacked via a contractor who was hacked.

As the defense improves, the offense shifts to an different approach.

No comments: