The security experts don’t like to talk about this much, but most agree that today the hackers have the advantage. Even top security firms are vulnerable to attack, as the hacking of RSA demonstrated. What this means is that if the computer is linked to the Internet it, and all data on it, is ultimately vulnerable despite even the best security efforts.
Of course that doesn’t mean that your computers will be hacked, nor does it mean that security is worthless. Given the huge numbers of computers on the Internet, obviously many are not going to be attacked by the most sophisticated methods. SMBs in particular may very well avoid problems simply through anonymity – bad guys can’t attack something if they don’t know it exists, and they are not likely to attack a random computer installation if they do not have some reason to do so.
Also, not all attackers are sophisticated enough, or determined enough, to defeat a strong security setup. Good security practices, including care to avoid downloading malware that can open the door to bad guys, can defeat the most pervasive, randomized attacks. But still, even experts sometimes get fooled, even known Web sites sometimes are infected and spread malware to all who log into them until they are cleansed, even RSA’s own defenses can be broken.
So I was heartened to learn at last week’s SAPphire 2011 that Intel is moving ahead rapidly to implement strong security tools including encryption and device “fingerprinting” on the silicon. This is exciting and promises to change the balance of power in the security war in the favor of the good guys.
One of the big problems with most computer security today is that it is implemented in software. Any security expert will tell you that hardware-level security is always stronger than the same tools in software. For instance, software encryption is more vulnerable, more difficult to manage, particularly in a distributed environment, and requires much more CPU time than hardware encryption. For those reasons, today it is, for instance, impractical at best to encrypt more than a small faction of company data, and then usually it has to be decrypted before it can be sent over the network. But put that encryption algorithm onto into silicon, and it becomes very practical to encrypt everything and to keep it encrypted while the data is distributed. And the keys will be very hard to steal or break.
With hardware-based security, malware, even root kits, become much less powerful, because the security boots before any software, even at the lowest levels. And device fingerprinting will allow users to identify individual devices at the company “front door” and turn away any that are not registered for access. And because the fingerprint is unique and implemented in the hardware, it will be extremely difficult to fake.
And this gets even more powerful as a company moves completely to hardware-based security. Then the end-user computers can work closely with the servers to create a complete, highly secured environment, even when those edge devices are somewhere out on the Internet, not in the office.
So in the meantime, do not skimp on security, work hard to ingrain secure practices among all your employees, and look forward with optimism.