I have recently received two books, which I highly recommend (even though I haven't completely read them, but recommend for another reason):
Building a secure computer system - Morrie Gasser 1988 (an ex-library book sent from the US)
How to hack like a legend - Sparc FLOW 2018
There is 30 years between these two books, obviously, but the principals still remain true. Noted from Chapter 2 of the 1988 book: Security is fundamentally difficult, an afterthought, the problem is people, least privilege, and so on.
However, what the 2018 book does is cover hacking against systems with machine learning and AI security. That seems to be the main difference in the last 30 years. In those 30 years we have gone from computers with a few KBytes of memory, to smartphones with 2 billion transistors - but what has fundamentally changed in the security world? You could argue that we have better firewalls, threat intel, threat hunting, advanced endpoint, but are they fundamental?
The biggest IT security challenge is us the human users...
If I were being cynical, nothing but the tools have changed. Instead of pen testing with real ink today's tools find so much more than we could only have dreamed 30 years ago. Think about the ink thing. We used to look at print-outs of code and go through them one by one. Now I scan a fairly complicated web site in 2 or 3 minutes, generate a complete user readable report and move on to the next just as easy task. Sorry, things are sooooo much easier today than compared to yesteryear, tool wise its not funny.
If I were being optimistic I would point to my use population and gloat that my last social engineering exercise netted a whopping three percent and receive reports about suspicious emails and possible security vulnerabilities on a near daily basis to include Sundays! Again, life is actually easier with a fully aware population today than 30 years ago. No comparison.
Security is generally on the front or near front burner for many mature organizations and not a back of the closet kind of operation 30 let alone 5 years ago. No longer seen as just an overhead or business luxury because people tire of the bad security news.
Understand not every organization has a security department or should even need one in the first place but the work has gotten MUCH easier over the past decade, particularly these past couple of years. Today I do what it would have taken a team of 3-5 people to do on an daily basis.
You have it easy.
Fundamentally, nothing has changed. Technically, the universe has changed
Two characters represent the challenge in my view:
1. Security is diametrically opposite to convenience, and
2. Security is a constantly-moving target
There lies the daunting tasks for security professionals, as to how to manage technology and how to manage user expectations, thus to make the world going forward ......
I'll offer my opinion here, and before anyone asks, no, it isn't backed by much experience...
@4d4m's post included the question 'What has changed in IT Security from 1998 - 2018.' No doubt just about everything has --- something I'll have to say without reading those books. (OK, I confess, I lack the endurance to read them)
Technology evolves at an incremental rate, and let's face it, user-awareness may not be able to keep up with that --- awareness being that of IT Security risks brought about by availing of the technology for convenience.
@Beads stated that 'Its still much easier than it ever was 30 years ago.' That may be true to some extent. IT Security requires both the implementation of controls & their enforcement --- the latter largely dependent on end-user compliance. So the 'ease' might just be seen at the initial phase...
As @Chuxing said, 'Security is diametrically opposite to convenience.' Unless you can eliminate the 'human factor' in a system that's to be secured, you must accept the fact that its users may be the weakest link in the chain of IT Security...
Ha, you made me recall one instance! I received a fax saying beware of computers spreading viruses, via 3.5" floppies. This was before the old Macintosh had a modem and internet. At the time I thought it meant that computers could infect humans, and so the journey began...
@Shannon - My dream is that the next gen AI security can reduce, or even eliminate, the human factor, just like in the not-too-distant future(?) we can have 'happily-distracted' drivers doing their texting and whatever, while the cars are controlled by AI.
There is hope ...
Much easier by far When I started doing pen testing years ago we joked about how much ink we went through pouring through print outs versus today where I fire up a DAST and in a few minutes have a completed report detailing any number of both serious and informational vulnerabilities. At one time these reports took weeks to compile now reduced to just a few minutes. I can give you dozens of answers like this from A/V to NBAD. These technologies are all game changing, force multipliers or we'd need dozens of people analyzing malware on a daily basis alone.
As for the human factor. Really depends on the audience or population. If your organization is filled with highly educated, well paid folks who have more to loose than most, those people tend to be a better risk in not clicking on everything sent to them. We do have AI filters, A/V, whitelists and other controls we hadn't even begun to dream up 30 years ago.
Simply no comparison.
@Beads: with all due respect, human factor is extremely difficult to avoid, regardless education, experience, or pay grade. I have seen seasoned software engineer and dba with over 30 years of experience fallen into social-engineering trick, I have also seen highly regarded developer infected his antivirus application with virus, thus rendered the system totally useless.
we do have more advanced, sometimes AI-like, firewalls, IPS/IDS, malware detectors, anomaly analizers, zero-day monitors, etc, etc, you name it, but security is getting more complex by the day, not simpler! Plus, the stake is getting higher, the solution is getting more complex and more expensive, the volume of critical data is increasing astronomically, all compared to 30 years ago.
Yes, many IT tasks like data transactions, system config and troubleshoot tasks, and others, are much simpler and faster now, but not security tasks. Any security engineer says his job is simpler because of the advancement of technology, he better get his resume ready, as his days in the current job is numbered...
Best of luck,