No long ago, a senior executive from one of corporate America's large bellwether stocks received a telephone call from law enforcement, explaining that the company had a major software vulnerability in its corporate web site. The agent described the vulnerability and its location in great detail and requested that it be fixed immediately. But he refused to disclose how he knew.
At the executive's request, the organization's chief information security officer (CISO) investigated the matter, confirmed the flaw and fixed it. Through forensics, the CISO discovered that a foreign government had penetrated the organisation's applications infrastructure and was in a position to bring it down whenever the time was deemed right.
Cybersecurity is no longer just the job of IT. As the true story above highlights, cybercrime today is a silent, invisible battlefield. The anonymity and universal access of cyberspace makes cybercrime attractive and easy. If customers, partners and employees can access sensitive systems from anywhere in the world, then the same pathway to the core infrastructure and priceless data exists for hackers as well.
Defending against cybercrime is costing billions of dollars. According to Gartner, organizations worldwide spent $288 billion on information security products in 2007. U.S. companies alone spent $79 billion in 2007. The U.S. government is allocating $7.9 billion in 2009 for cybersecurity, which is $103 out of every $1,000 requested for IT spending —up 75 percent from 2004.
But is all this investment making an impact? Consider:
* The Web Application Security Consortium project analysed 31,373 web applications and discovered that they contained 148,000 vulnerabilities.
* Between 2001 and 2007, 180 million credit card records were stolen.
* The Washington Post reported that by August 2008, the number of successful data breaches had surpassed all breaches from 2007.
What's not working? Businesses build applications to store, process and transact money and data for the sake of efficiency — but they often failed to properly defend these applications. As business modernized, software security didn't. And hackers have sniffed out the weaknesses. Traditional defensive measures — including firewalls and anti-virus — don't protect against data breaches.
Application security: A new business imperative
The days of hacking for fun are over. The new face of cybercrime has evolved in two ways:
* First, foreign governments are also after intellectual property, particularly in the military domain, and the internet is their portal into the applications and databases that hold these secrets.
Countries such as China, for example, have now become proficient in the art of cyberwarfare and cyberespionage after setting up specific hacking centers to this end. North Korea, on the other hand, has invested in a hacking school, from which about 100 hackers graduate each year, while Russia fetes its cyber-savvy practitioners as national heroes. The rationale is, why invest vast sums in conventional weapons or risk international scandal should spies be discovered, when such operations can be conducted quietly online these days?
* Second, the amount of money that can be made from online fraud and theft with relatively little risk (compared to operations in the physical world) inevitably makes such undertakings attractive. This means that both individuals on the make and organized crime are now becoming involved.
A very sophisticated industry is also developing around the pursuit. Consider how the opponent has mobilized:
* In recent years, a growing number of hacker matchmaking sites have sprung up. These act in a similar fashion to a brokerage firm and bring people with a range of different skills together to target organizations more effectively.
* There are also various web sites that publish software vulnerabilities and make the hackers' job all the easier.
* Hackers develop and sell automated hacking tools.
Business software assurance
What has allowed this evolution? Applications are only as good as the software developers who wrote them. And most of those developers are not responsible for security.
So what can organisations do to protect themselves from the hacking threat more effectively?
The first thing is to adopt a Business Software Assurance approach for information security. BSA offers a good foundation to understand what threats and vulnerabilities could impact the business and what the likelihood is of problems occurring.
BSA involves introducing a formal methodology to help determine what the real risks are. This enables businesses to focus on their true needs by formally documenting processes to ensure that issues do not end up falling through the cracks.
As part of the BSA process, it's crucial to gain an understanding of just how exposed the organization's systems are. The aim is to remove any flaws from the code to make it impenetrable to attack. More importantly, it is about adopting an inside-out strategy that tackles root causes as opposed to simply employing outside-in tactics that involve putting a protective wall around the problem.
As the world has moved online, it has brought all of its vices with it. An entire economy has sprung up online to support and feed a cycle of fraud and theft that leeches untold strategic and monetary value from supposedly safe data warehouses, and costs further billions to defend against with limited effect. The only path out of this reckless cycle is a strategy that focuses not only on the criminals that are after your data, but the vulnerabilities in your software infrastructure that they turn against you.