The Four Myths of Cyber Security

by Richard Kirk, Fortify Software

Incidents and exploits crafted by an effective and growing menace are threatening the continuity of and confidence in the very core of our commercial and social infrastructure. In just 90 criminal investigations performed in 2008, where data compromise was confirmed, the Verizon Business RISK team (a leading computer forensics group) reported more than 285 million consumer credit records stolen. This number far exceeds the combined total confirmed for all its investigations from 2004 to 2007.

Organizations around the globe are failing to accept responsibility for their own security. Instead, they are blaming the inherent flaws and insecurity of the Internet and claiming ignorance in the erroneous belief that security is a global problem. Therefore, they say, everyone is to blame with no single company guilty. It’s time to dispel these myths:

Myth One: World Leaders Are Responsible For Making the Internet Safe
With cyber attacks threatening to bring down an entire country’s digital systems by allowing foreign states to access them, it is clear that there’s no magic wand now, or likely to be anytime soon, for anyone.

Internet fraud is costing billions of pounds a year. Even Whitehall computer systems are facing repeated assaults from abroad, so UK ministers may be deemed either genius, or just desperate, in their decision to hire hackers to protect state secrets. In addition, June saw Prime Minister Gordon Brown appoint the first national cyber security chief, a senior civil servant named Neil Thompson, to protect the country from terrorist computer hackers and electronic espionage. That appointment came amid fears that the computer systems of government and business are vulnerable to online attack from hostile countries and terrorist organizations. Another tactic is that of the Police Central E-Crime Unit, which has asked IT industry workers to volunteer in the fight against cyber crime.

Let’s face it, the primary role of the police is to protect us and keep our property safe. But if we decide to leave our doors and windows wide open, they’d be the first to point out we were inviting trouble.

The UK government doesn’t have the finances, resources or even the remit to make the entire Internet a safe place for everyone that uses it. It’s trying to do the best it can – so should you.

Myth Two: I’ve Got A Firewall, So I’m Safe
A firewall isn’t enough protection due to its very ethos – it provides a gateway for users to explore the outside world and, therefore, is the very doorway by which hackers gain entry. Systems are designed primarily to help users travel through the firewall often with little regard given to what may travel in the opposite direction. Hackers understand the typical code used and will exploit simple mistakes in programming and oversights in security efforts. Verizon’s 2009 Data Breach Investigation Report states “only 17 percent of attacks were designated to be highly difficult.” So the conclusion is that 83 percent were not difficult and therefore avoidable.

In the more successful breaches, attackers will exploit a mistake committed by the victim, such as unauthorized access via default credentials (usually third-party remote access) and SQL injection (against Web applications). This is a phenomenon verified by Verizon, which established that 67 percent of the breaches it investigated in 2008 were “aided by significant errors.”

Myth Three: “A Hacker Wouldn’t Target us - We Don’t Process Financial Transactions.”
Why spend money on research and development if you can steal the product from someone else? Intellectual property theft is an "invisible" type of business theft, meaning it often isn't thought about and can go unnoticed, but it costs organizations billions. Unlike credit card data that can clearly be identified as stolen when fraudulent charges are later incurred, the impact of a company losing proprietary designs, business plans, inventory strategies and so forth may never be visibly traced to a single event. In a survey of 800 chief information officers in Japan, China, India, Brazil, Britain, Dubai, Germany and the United States, the companies surveyed estimated they lost a combined £2.9 billion (US$4.7 billion) worth of intellectual property last year alone, and spent approximately £375 million (US$612 million) repairing damage from data breaches.

Myth Four: “It’s Too Difficult to Secure My Systems.”
Programmers have a responsibility to test and score the security of their software. By employing secure coding practices earlier in the software development life cycle, errors can be avoided. There are online services available that allow you to upload in-house, and vendor, open source and outsourced software to test the code. An automated turnkey solution will provide both source- and binary-level static analysis for accurate detection of security vulnerabilities, returning accurate and complete findings, with vulnerabilities prioritized based on severity and exploitability. It also empowers in-house and third-party developers to actively manage application security on their own terms, extending limited security resources and reducing total cost of security by replacing more expensive assessment services.

If you are in business today, you have risks — it’s that simple. You have something to lose. If you don’t, well, then don’t worry, because you won’t be in business much longer. Your software is probably one of the single largest exposures to risk that your business faces today. At the same time, if it is designed and built correctly, your software could end up being one of your most effective countermeasures against most of the common attacks employed by hackers today. Don’t be afraid – you can take control of your own security. The time is now.

No comments: