The Comodo Group Inc. has come forward with the admission that bogus digital certificates were generated by an unknown person via unauthorized access to its system. This case has sparked widespread interest, given that many of these domains are widely recognizable, belonging to organizations such as Google (NASDAQ: GOOG), Yahoo and Microsoft (NASDAQ: MSFT). Implying that the well-executed hack was initiated by Iran, Comodo asserted that the attack was traced to an ISP in Iran, and that the targeted domains "would be of greatest use to a government attempting surveillance of Internet use by dissident groups."

While the nine digital certificates have since been revoked, this development comes on the heels of last week's network compromise over at security vendor RSA. Sparking heavy criticism from various quarters, the company would only state that "certain information being extracted from RSA's system"--refusing to state if its highly-vaunted SecurID system--is still fundamentally secure.

The use of two-factor authentication such as SecurID and the digital certificates that SSL relies on represent important security technologies that businesses and governments alike have grown to rely on. So are things really as bad as they sound? And is the age of insecurity upon us? Let's take a step back and examine the state of security today.

The state of security today

Having done a series of interviews with enterprise WLAN solution vendors such as Ruckus Wireless and Fortinet, I was made aware of the security afforded by WPA2 encryption--which is implemented by all new Wi-Fi Access Points. In addition, the widespread implementation of switched networks and Layer 3 controls makes it harder than ever to pull off spoofing or sniffing attempts on wired networks. Moreover, IPS and IDS appliances and firewalls also play a part to ensure that suspicious network activities are detected earlier than ever.

The situation has improved tremendously on the operating system front too. Most operating systems (and software) today employ the use of an update mechanism for automatic patching. Full disk encryption can also be found on selected editions of the Windows operating system, while a proliferation of free or cheaply available file level encryption utilities exist for the security-conscious.

And in the event of a limited break-in, advanced security capabilities such as Address Space Layout Randomization (ASLR) built into modern operating systems have no other purpose than to stymie a hacker from launching a variety of memory-based attacks; salting techniques on the other hand have proven effective in protecting stored passwords against cracking via pre-computed hash chains or rainbow tables.

Security is a journey, not a destination

It is clear from the very limited snapshot above that the IT industry has birthed a large number of advanced techniques on the security front, and that there are many tools out there to help businesses stay secure. Yet the truth of the matter is that hackers are probably even now working on ways to break WPA and WPA2, or identify weaknesses in the implementation of ASLR or BitLocker full disk encryption. Alternatively, they could be scheming of ways to circumvent or weaken existing defenses such as digital certificates or SecurID, or perhaps trying their hand at social engineering using information published on social networks.

Instead of being frozen into inaction over the possibility of a security breach, perhaps what is needed is a shift in mindset. IT managers need to realign their focus from deploying the latest appliance or software to one that is prepared to constantly refine and improve existing security measures. After all, security is a journey, not a destination. With this in mind, multiple layers of defenses can be built, with adequate level of monitoring and logs to establish the source of any breaches.

With an appropriate budget and dedication to stay abreast of security developments, the good guys are actually two steps ahead.  Do you agree or disagree? - Paul (Twitter @paulmah)