Face it, the system is broken. Internet security is in a state of decline, and if present trends continue, it will be an abysmal failure within five years.
Attackers are winning the war, make no mistake about it. Security staff members are running well behind the curve and the gap is getting wider every day. New forms of attack are emerging, deeper and more complex vulnerabilities are being exploited and yet, the majority of compromises are still coming from holes that should have been patched months or even years ago (www.incidents.org for statistics).
Many companies out there have not even taken the first steps of identifying their assets and connections, let alone undertaken even the most rudimentary type of vulnerability assessment. Policies and procedures are also lacking, with many organisations still missing even basic security policy elements such as acceptable usage policies. Even where policies do exist consistent enforcement often remains a huge issue between managers, HR and legal groups.
We continue to run into firms that have yet to deploy firewalls (yes, there are still organisations without firewalls...), intrusion detection mechanisms or even anti-virus software to the desktops. Forget assessment and prevention, these folks do not even have basic ideas that a threat exists!
Attackers know these situations exist. They know because they are routinely exploiting them. They know how to look for low hanging fruit and they know just how heavy the forest is with it.
So, what can we do about it? If we are involved in or with organisations that have yet to understand threats and deploy basic defenses, we can work to build awareness from the top down or the bottom up. We can help our vendors, business and trading partners develop good security habits by mandating examples for doing business and creating systems for assessment and verification. If we can make security a requirement for doing business in the online world we can create organic growth that will close the gap between attackers, defenders and victims.