By Ira Winkler

It really shouldn’t be a surprise that we are continuing to see major vulnerabilities in Macs. Mac hacks have been around for over 20 years. The reason why we haven’t seen a significant number of attacks against Macs in the last decade is that they are not an attractive target as there is not as much of an installed base when compared to Microsoft. It is that simple.

Now that Mac is attracting more attention and Microsoft is strengthening their development processes, we will start to see many more attacks, making the Mac commercials criticizing Vista security, making them look stupid.

By Ira Winkler

I just received an e-mail ad from ComputerWorld that advertises a white paper from Core Security. The ad scares us by informing us that users can NOW infect systems by opening Word, Excel and Powerpoint files. That is supposed to shock us?

The only thing that shocks me is that this appears to be new to a copywriter working for a security company. IMO, anyone with a clue knows that the macro abilities embedded within those file types has been proven to enable attacks for over a decade. The fact that a security company feels compelled to have this as the main teaser line either demonstrates that they have little faith in the intelligence of the readers (although they may be right) and is an insult to our intelligence, or they don’t have a clue.

By Jim Reavis

In the perfect world as defined by information security practitioners, there are no surprises.  Viruses and malicious attacks bounce off a secure infrastructure.  New applications are rolled out only after extensive security architectural vetting and exhaustive testing.  CISO reports to the board show continuous organizational improvement.  Everything works according to plan.  In this world, the sun emits only harmless radiation, and gives off a soft light that masks my aging features.

In the real world, chaos reigns.  The papers are filled with incidents, and even if you aren’t in a high profile organization, the time in a day spent chasing your tail is a lot more than the time you spend pondering the future.  As a CISO said to me today, we work to prevent what we can, and react to the rest.  As I survey the information security threats we are facing today and for the next couple of years, it seems inevitable that bad things will happen to good people with solid infosec programs.   The technology gap (e.g. botnets borne by Web 2.0) between the criminals and our defenses fluctuates over time, and it seems as though that gap will be fairly wide over the next 1-2 years.

If you want to think about allocation of infosec resources, my recommendation is to turn the dial over to the side of being reactive, not to eliminate proactive planning, but to make sure you are able to respond quickly.  Having a world class incident response capability is where you need to be, tell your boss to anticipate the bad news and make sure you can react quickly.  Being good at reacting is actually proactive, isn’t it?