Most people are protected by multiple firewalls on the perimeter, on the desktop, and filtering applications. But all that bastion host-port isolation doesn't appear to be working. We're as exploited as ever.
Security fail No. 3: Patching is no panaceaFor many years the No. 1 security advice you could give anyone was to do perfect patching. All software has multiple vulnerabilities and must be patched. Despite the existence of more than a dozen patch management systems that promise perfect updates, for whatever reason, it appears it can't be done.
Often times it isn't the patch management software's fault -- it's the managers. They only patch some items, but miss the most popular targets, such as Java, Adobe Reader, Flash, and more. Or they don't patch in a timely fashion. Or they don't follow up on why some percentage of their population doesn't take the latest applied patch, so there's always a vulnerable portion of users. Even in the best cases, getting patches out to the masses takes days to weeks, while the latest malware spreads across the Internet in minutes or hours.
Even worse, social engineering Trojans have essentially done away with that No. 1 advice. Consider this: If all software had zero vulnerabilities (that is, if you never had to patch), it would reduce malicious exploits by only 10 to 20%, according to most studies. If you got rid of the exploits that required unpatched software to be present, the hackers relying on unpatched software for their dirty work would move to other avenues of maliciousness (read: social engineering), and the true reduction in cyber crime would probably be much less.
Security fail No. 4: End-user education earns an FSince the dawn of personal computing, we've warned users not to boot with a disk in their floppy drives, not to allow the unexpected macro to run, not to click on the unexpected file attachment, and now, not to run the unexpected antivirus cleaning program. Still, it does not work.