|
I'd say no it isn't in the aggregate harder. There are a few of forces at play that I think lead to this. First of all you can now buy pretty good hacking tools in a can (CANVAS, Core Impact) that come complete with non public exploits. If you don't have the money, metasploit is pretty good as well. This drastically reduces the need to know the details of a particular exploit, and reduces the amount of toolsmithing required to pull off a penetration. Also, the reality is that exploits are now a business - they're for sale, for better or for worse, on the open market. If there's one thing our PWN2OWN competition at cansecwest proved, it's that for a sufficient amount of money someone will find you a hole in anything. If you have money, even if you're not that knowledgeable, being a blackhat isn't that hard. Second, there is more stuff to exploit now than there has ever been before, both on and off the net (I'm looking at you SCADA). At least some of that stuff will be low hanging fruit built by programmers who either did not understand how to build secure systems, or didn't expect that those systems would be reachable in the way they are now. As the internet expands, and stuff keeps getting more smarts added to it, I think there is probably a trend in which new insecure stuff is being built faster than the old stuff is being secured (not that I can prove that). Things that previously weren't considered to be security critical, now are (XSS is still barely considered a "real" exploit). Third, information about exploits, how to write exploits, and how to find vulnerabilities is now massively more available, both because of the change in philosophy around full disclosure, and because we now have more than a decade (two maybe?) of open research into the field. Bugtraq can be argued to have revolutionized security research because it opened up what was previously secret to the eyes of interested amateurs and academics. Today there is a community of security researchers who openly publish information that previously was only the domain of governments and the occasional large defence contractor. I think probably the public community is better at it too. Balanced against this is all the research and technology on the defensive side (also helped by full disclosure), the forced public shaming to fix-their-broken-shit of various vendors (full disclosure again), and generally better knowledge of security best practices (anyone want to guess what I attribute this to?). All of which is to say that the things that worked 20 years ago are harder today than they were 20 years ago (social engineering sadly seems to be just as easy, and if anything more prevalent now) but it hardly seems to matter since lots more is easy now. |