ES: I think the biggest development is that Microsoft finally got serious about security. Before about 2 years ago, they treated it as an ancillary problem in a lot of ways. Then, I think the powers-that-be within Microsoft realized that security represented a significant threat to their market dominance. The slow trickle of users to Linux, Mac OS X, and other operating systems would have turned into a deluge if our industry joined the 'Blaster of the month' or the 'Sasser of the week' clubs. Some people think that Microsoft's newfound interest in security was merely hype and marketing, but I think they were legitimately scared of the evolving attacks.
But, rather than panic, Microsoft introduced some major improvements, including Windows monthly patch releases, Automatic Updates, and Windows XP SP2. With monthly patch releases from Microsoft, we can build repeatability into our patching processed. With Automatic Updates, those who trust Microsoft can turn their computer over to the vendor for patching. Sure, that's not an ideal solution, but again, it is a vast improvement over what most consumers are able to do themselves. And Windows XP SP2 makes the list, because it radically altered Windows with an infusion of security technologies, including the Security Center control panel, Data Execution Prevention, and, my favorite, severe limitations on anonymous SMB sessions. Have you noticed in the past year and a half, when a new worm or bot comes out, it tends to hit Windows 2000 the hardest, and Windows XP SP2 the least. A lot of that has to do with the restrictions on anonymous SMB sessions. Windows 2000 let unauthenticated users connect to all kinds of resources and pull information; it was really ridiculous. Microsoft has vastly improved this issue with Win XP SP2, limiting many worms and bots.
Keep in mind that Microsoft still has a lot of security problems in their products, but things have vastly improved, even in light of a majorly increased threat from organized crime. If we had had the current level of threat with the Windows of two years ago, we'd have gotten creamed.
TB: What do you believe is the greatest weakness or failure of existing security technologies or solutions?
ES: Security technologies still have numerous flaws. Vulnerabilities such as buffer overflows in firewalls, IDS tools, IPS products, and anti-virus solutions are a major concern. Attackers who exploit such software can get total control of a system or network via the machines' supposed defense mechanism. Although you'd expect that security tools would be developed with a higher level of scrutiny than other software, it does not seem to be so. So many of these tools are flawed, and that's really quite sad.
TB: What do you feel are the emerging information security threats looming on the horizon?
ES: Attacks on security tools, as we just discussed, are a major concern. But, I'm also worried about how we are increasingly folding general-purpose computer systems into our consumer electronics devices, like cell phones, TVs, and stereos. Cars are likewise getting more computerized. Computer attacks will evolve into this new realm, exploiting the same kind of vulnerabilities, but this time with a new set of targets. That will cause some major problems for society. In the past, if your computer was down, you might have watched TV, listened to the radio, or even had a conversation with another human face to face. If your computer, TV, radio, phone, car, and other technologies all use similar underlying systems, they could all come under attack simultaneously. That's a real problem, so we better brush up on our conversational skills with people located within walking distance! :-)