"The majority of the risk is due to end-users intentionally executing socially engineered Trojans that show up as fake antivirus software, malicious video codecs, fake patches, and needed software drivers. Yes, good patching and strong passwords also help, but Trojan horse programs that your end-users (or friends or family) get tricked into installing are by far the most popular, successful threat."
- The FROM address of an email address is easy to forge (see prior point) and too few people know this.
- People are gullible.
- SSL, the technology behind secure web pages, is a sham.
Update: This is a big topic that I didn't want to get into in detail. But, a few people wanted clarification, so see my comment below from June 2nd at 6:04pm.
- Home WiFi:
People use WEP on their home WiFi networks. That Verizon continues to employ WEP for new customers is shocking. It should be illegal. WEP encryption is easily broken, unlike the two newer schemes WPA and WPA2. That said, even WPA and WPA2 can be hacked if the password is weak.
- Public WiFi:
People use unencrypted public WiFi networks without a VPN. You don't spit into the wind, you don't tug on Superman's cape and you shouldn't use unencrypted public WiFi networks without a VPN. It opens up a slew of potential problems.
- Some files/data should never be accessible over the Internet. Yet, they often are.
- The IT field changes very quickly:
When faced with a medical problem, we often deal with a doctor with 10 or more years of experience in their specialty. Very few programmers have that much experience in the development environment they use. For example, no one on the planet has 10 years experience coding Android apps. Inexperience inevitably leads to rookie mistakes.
- Too many corporate executives have no technical savvy. This leaves them susceptible to scams and handicaps their ability to judge the importance and effectiveness of the computer security at their company.
- Small businesses have no computer techies on staff which makes them ripe for online banking fraud. Brian Krebs did a series of articles describing many instances of this.
- Economics dictates that software will be buggy:
Developers are paid to write applications that work and, often, that are finished ASAP. That applications are totally and completely bug free may not be the highest priority. For one thing, it delays roll-out. For another, not every developer is up to the task.
Steve Gibson discussed this briefly on his Security Now! podcast (episode 302, May 26, 2011). The topic was Donald Knuth, the author of TeX. Gibson called him "an artist of software" and marveled at how bug free TeX turned out to be, despite being a massive system. According to Gibson, Knuth
Sign up for CIO Asia eNewsletters.