Richard Kirk, Fortify Software: The Four Myths of Cyber Security
October 2009 by Richard Kirk, UK Director of Fortify Software
Governments and corporations around the globe are facing a crisis in the form of cyber security threats. Incidents and exploits crafted by an effective and growing menace are threatening the continuity of, and confidence in, the very core of our commercial and social infrastructure. In just 90 criminal investigations performed in 2008, where data compromise was confirmed, the Verizon Business RISK team (a leading computer forensics group) reported more than 285 million consumer credit records stolen. This number far exceeds the combined total confirmed for all their investigations from 2004 to 2007.
Organisations around the globe are failing to accept responsibility for their own security, instead blaming the inherent flaws and insecurity of the internet and claiming ignorance in the erroneous belief that security is a global problem and therefore everyone is to blame with no single company guilty. It’s time to dispel these myths:
Myth One : World Leaders Are Responsible In Making The Internet Safe
Wrong. With cyber attacks threatening to bring down an entire country’s digital systems by allowing foreign states to access them, it is clear that there’s no magic wand now, or likely to be anytime soon for anyone.
Internet fraud is costing billions of pounds a year, and even Whitehall computer systems are facing repeated assaults from abroad, so UK ministers may be deemed either genius, or just desperate, in their decision to hire hackers to protect state secrets. In addition, June saw Gordon Brown appoint the first national cyber security chief, a senior civil servant called Neil Thompson, to protect the country from terrorist computer hackers and electronic espionage amid fears that the computer systems of government and business are vulnerable to online attack from hostile countries and terrorist organisations. Another tactic is that of the Police Central E-Crime Unit (PCeU) who has asked IT industry workers to volunteer in the fight against cybercrime.
Lets face it, the primary role of the police is to protect us and keep our property safe but if we decide to leave our doors and windows wide open they’d be the first to point out we were inviting trouble.
The UK government doesn’t have the finances, resources or even the remit to make the entire internet a safe place for everyone that utilises it. It’s trying to do the best it can – so should you.
Myth Two : I’ve Got A Firewall So I’m Safe
Wrong. A firewall isn’t enough protection due to its very ethos – it provides a gateway to users to explore the outside world and, therefore, is the very doorway by which hackers gain entry. Systems are designed primarily to facilitate users to travel through the firewall often with little regard given to what may travel in the opposite direction. Hackers have an understanding of the typical code used and will exploit simple mistakes in programming and oversights in security efforts. Referencing Verizon’s 2009 Data Breach Investigation Report, it states “Only 17 percent of attacks were designated to be highly difficult” so the conclusion is that 83 percent were not difficult and therefore avoidable.
In the more successful breaches, attackers will exploit a mistake committed by the victim, such as unauthorised access via default credentials (usually third-party remote access) and SQL injection (against web applications). A phenomenon verified by Verizon who established that 67% of the breaches it investigated in 2008 were “aided by significant errors”.
Myth Three : “A hacker wouldn’t target us - we don’t process financial transactions.”
Wrong. Why spend money on research and development if you can steal the product from someone else? Intellectual property theft is an "invisible" type of business theft, meaning it often isn’t thought about and can go unnoticed but costs organisations billions. Unlike credit card data that can clearly be identified as stolen when fraudulent charges are later incurred, the impact of a company losing proprietary designs, business plans, inventory strategies and so forth, may never be visibly traced to a single event. In a survey of 800 chief information officers in Japan, China, India, Brazil, Britain, Dubai, Germany and the United States, the companies surveyed estimated they lost a combined £2.9 billion worth of intellectual property last year alone, and spent approximately £375 million repairing damage from data breaches.
Myth Four : “It’s too difficult to secure my systems”
Wrong. Programmers have a responsibility to test and score the security of their software and by employing secure coding practices earlier in the software development life cycle they can also be avoided. There are on-line services available that allow you to upload in-house, and vendor, open source and outsourced software to test the code. An automated turnkey solution will provide both source and binary level static analysis for accurate detection of security vulnerabilities, returning accurate and complete findings, with vulnerabilities prioritised based on severity and exploitability. It also empowers in-house and third-party developers to actively manage application security, on their own terms, extending limited security resources and reduces total cost of security by replacing more expensive assessment services.
If you are in business today, you have risks—it’s that simple. You have something to lose. If you don’t, well then don’t worry because you won’t be in business for much longer. Your software is probably one of the single largest exposures to risk that your business faces today. At the same time, if it is designed and built correctly, your software could end up being one of your most effective countermeasures against most of the common attacks employed by hackers today. Don’t be afraid – you can take control of your own security. The time is now.