Instead, it would be more productive to focus on 1) tightening regulations around how data is maintained and secured, 2) removing the loopholes that permit exceptions to adherence with these regulations, and 3) applying for jobs with beleaguered government entities.

Yes, that last was on us as a security community. Let’s focus on how to help government achieve better security, rather than on vilifying it for a breach that could happen to any organization.

Unfortunately this is not something that is on the rise and has been a huge problem for some time especially for the banking industry. It is only a big deal and a major problem now and getting awareness because of the notifications. The businesses have always been and still are on their own to fight the problem unlike consumers who have outlets that can assist them.

f attackers are getting into a system via application gateways (which are the target of choice nowadays) then the vendors need to take responsibility for securing their programs. I’ll let the rest of you debate just how customers might make that requirement known to vendors.

If attackers are exploiting bugs or holes in the operating system itself, then there is only one solution: stay up to date with patches. Microsoft is known to delay critical security patches (see [http://blogs.pcworld.com/staffblog/archives/005658.html|leo://plh/http%3A*3*3blogs%2Epcworld%2Ecom*3staffblog*3archives*3005658%2Ehtml/oB17?_t=tracking_disc ] amongst others). Obviously, for an organization that wants to be proactive about security — and who doesn’t? — there are only two solutions: put pressure on the OS vendor, or fix the problems yourself (ie. third-party support).

Fixing the problem yourself is practically impossible without source code. And if an organization is using Windows, they are unlikely to be able to bring enough pressure to bear against Microsoft (look at the million-dollar-a-day fines imposed by the EU and Microsoft’s attitude). Nor will such an organization spend the $$$ on a source license for the Windows code base and try to fix it themselves. One other route is to switch OS vendors. (I’m sure you can see where this is going.)

Choose a vendor that doesn’t lock you in to their platform. Instead of choosing .NET and being forced to use Windows, choose Java and enjoy cross-platform applications. Instead of choosing Windows, choose Linux and enjoy free source code — should your vendor not produce a patch quickly enough for your needs (very unlikely in the Linux environment) hire your own programmer and have them fix it. In addition, it’s the Linux community that is pushing the envelope in R&D, not Windows.

Take a look at top500.org to see which operating system the largest systems in the world are running. As of 11/2008, Linux in some form is on 454 of the top 500 systems.

Computer security requires staying ahead of the bad guys. One way to do this is to patch systems quickly when a vulnerability is found and to do so frequently (don’t wait until the first Tuesday of the following month). If your vendor doesn’t support your security efforts, should you support that vendor?