I'm still surprised by all the old computer security recommendations that so-called experts are pushing out to the masses. For example, a quarterly guidance document from a major security vendor contained the following two statements: "Don't open up file attachments from unknown people" and "Don't run unexpected executable software from Web sites you don't trust."
That's great advice -- from 10 or 15 years ago. I'm surprised the document didn't include a warning about accidentally booting from floppy disks in A: drive.
That's part of what is wrong with the computer security industry. When the bad guys change their tactics, most of the computer security industry needs a year or two to catch up. It took us years to teach people not to say yes to the macro warning when opening up attached documents. It took us five years to tell people to stop just blindly clicking on e-mail links proclaiming love (a la the ILoveYou worm).
To this day I don't understand why it took years for the major players in the very entrenched, installed-everywhere, filthy-rich anti-virus industry to start blocking spam and phishing attacks with regular success. Cross-site-scripting (XSS) attacks started happening with regularity in the 1990s. It was only in the past two years that the major browsers came with serious XSS defenses built right in to the browser. Some anti-virus companies still don't do a good job of screening IM traffic for malicious downloads.
By the time the anti-malware defenses finally get around to addressing last year's threat in a significant way, the bad guys are onto the next big malicious thing. It's a never-ending, losing battle.
But I don't just want to rant at commercial anti-malware companies. First, some of them are doing a great job at responding to the new threats, and in general, the whole industry is responding faster than they did in the past. They have to! Today there are probably 50 companies that offer complete anti-malware protection (firewall, anti-virus, anti-Trojan, anti-phishing, anti-spam, and so on).
I'm just as surprised by the poor computer security education offered to end-users at most companies. Most end-user education handouts were made 10-plus years ago and don't seem to have been updated much since then.