You might remember the scene in Moneyball in which A’s GM Billy Beane confronted a group of old-fashioned baseball scouts who would stubbornly evaluate players based solely on the “eye test,” rather than actually number-crunching their statistical data.
Nowadays, ball clubs regularly leverage sabermetric data and use their own in-house systems to predict prospects’ success, formulate winning line-ups and track opponents’ tendencies. On the flip side, this also opens them up to hacking and sabotage, as the Houston Astros learned the hard way when former St. Louis Cardinals executive Chris Correa infiltrated and spied on the team’s “Ground Control” email and scouting database system.
The trade-off is no different in any other line of business: To remain competitive, companies must innovate, mining key data and developing their own proprietary technology systems. And yet, as a side effect, these innovations also create new cyberattack vectors.
“The rapid advancements in exploit development have created new challenges for companies that write their own proprietary software, as the developers need to be consistently aware of emerging attack methods as well as be familiar with traditional exploit methodologies in order to develop a secure application,” said Alex Heid, chief research officer at SecurityScorecard – a cybersecurity rating and monitoring platform. “In the past, the only applications that required intense security controls were those that were required to by regulatory mandate.”
To put it another way, “When your core competency has been designing shoes, how does one make software development and data management a first-class citizen in the corporate ranks?” asked Bob Rudis, chief data scientist at vulnerability management firm Rapid7. “And, how do you ensure this data stays private and out of the hands of thieves and competitors?”
There’s no easy answer, Rudis acknowledged, as these traditional companies must now compete with pure-play tech companies to recruit competent developers who can securely build, manage and maintain new software, often in environments rife with clunky legacy systems.
“Managing developers, the app life-cycle, technology that supports application development, security vulnerabilities, etc., is extremely hard,” said Rudis. “Even dedicated shops who only make and sell software think those practices are hard, so imagine the difficulties encountered by orgs where technology is now not only a core part of the business, but also part of a larger whole.”
No Industry is Immune
The fact is, when every company is a software company, any organization can become a victim – especially when it doesn’t have a strong background in software development, IT security and data stewardship.
Specifically, organizations’ systems can suffer from exploitable application code, as well as weak or non-existent authentication controls, warned Heid. Moreover, “Older companies have the additional risk of having large amounts of legacy software as well, which leaves them open to older attack vectors,” he added.
Safeguarding your software from attack becomes even more critical when this software is found in products used by the public at large. Automobile manufacturers are now confronted with this very issue as vehicles have essentially turned into large mobile computers.
“There are many software touchpoints for automobiles, including internal firmware, the ‘smart console’ in mid-to-high-end cars, and the interface between a driver’s mobile device and his or her car,” said Rudis. “Manufacturers are accustomed to managing assembly lines, physical parts inventory and hardware-oriented repair supply chains. Now, they must contend with source-code repositories, software glitches (vs plain-old hardware failures), software updates (if they even provide them), rapidly changing third-party technology interfaces and, yes, hackers.”
Even electric car charging stations pose a risk, as some of these Internet-connected stations can be accessed without password authentication. “Anyone who accesses the web application has the ability to lock/unlock cars, as well as seemingly upload/download configurations to the vehicle,” Heid explained. “The lack of password authentication is a startling, consistent trend that has been observed throughout 2016 and 2017 regarding the deployments of new technologies such as IoT devices, as observed with the proliferation of Mirai botnet…”
Indeed, IoT has created a bevy of new Internet-connected devices that can potentially be targeted for hacking. Cited fitness bands and smart clothing as prime examples, Rudis said that the companies developing these products are “no longer classified as clothing manufacturers, but more as technology companies that must contend with device firmware updates, mobile app updates, back-end app infrastructure and massive data stores of extremely sensitive personal health information.”
And it doesn’t stop with personal fitness. Indeed, almost anything that be an IoT device. Chris Wysopal, co-founder and CTO at application security company Veracode, specifically referenced Internet-connected tractors from John Deere that can monitor crops using sensors, diagnose their own maintenance issues, and order parts and labor by themselves.
“In just a few years John Deere has become an IoT and a big data company that needs to hire and maintain an innovative software organization,” said Wysopal. “They also have to secure all that new software.”
But it’s not just consumer touchpoints that must be shored up. For instance, industrial plants – including those run by manufacturers to assemble their products or operated by food companies to process and package their goods – are facing an array of new security challenges due to the advent of robotics and automation.
“Enabling technologies have given industry robots tremendous computing and sensing power, giving them almost human-like cognitive powers with greater precision and accuracy on a production line,” said Mark Kuhr, co-founder and CTO of pen testing and bug bounty firm Synack. But “imagine what would happen if a facility’s systems were hacked and production was stopped. Any downtime would put a strain on the entire supply chain.”
“Industrial robots and systems are only as secure as we build them to be,” Kuhr continued. “Networks for command and control of robots need to be isolated and air-gapped from the rest of the corporate network. Operators need to verify that update paths to the robot, including the supply chain, are secure in order to defend against malware or remote command injections.”
Also on the B2B/supply chain front, delivery and shipping services have been adding proprietary tracking and logistics software to their business portfolios. Such businesses are equipping their drivers with devices to track their movements, and installing systems on vehicles that can monitor oil levels and other maintenance conditions.
This creates a huge IT management responsibility: “They must maintain devices – including hopefully patching and updating them – ensure the accuracy of the data they collect, and ensure the security and privacy of it, even if it’s just their own drivers’ data,” Rudis explained. And “If they are using a cloud service, they likely have no idea how to set up secure logins and ensure the security and privacy of the data they are entrusting the service with. Yet, it likely has become an integral part of their bottom-line profitability.”
New Technologies Require a New Attitude
With bad actors and bots constantly sniffing for access points and exploitable vulnerabilities, a company’s ambitions to introduce cutting-edge new software technologies must be commensurate with an effort to institute more secure software development lifecycles and data management policies.
“The investment must start from a data architecture perspective – meaning, where is the data being held, what applications need to talk to it, and who has access to it?” said Chris Schueler, senior vice president of managed security services at Trustwave. “The application developers then can develop to this data architecture and… they can ensure that control and inspection points are created, as well as application testing and code reviews are properly conducted during their software development lifecycles.”
As they embrace new apps and technologies, traditional companies may choose to slowly refine their software development process, while others may opt for a dramatic overhaul – embracing DevOps methodologies and cloud- and mobile-based solutions, said Wysopal.
Regardless, these “enterprises are… dealing with scale and complexity that a start-up company doesn’t have,” said Wysopal, “so there is a need for enterprise class application development lifecycle management tools and enterprise class application performance management tools, and of course enterprise class application security testing.”
At the same time, Wysopal continued, these companies will have difficult decisions to make, such as how to balance development speed with security. “A good example is the willingness to allow a vulnerability to escape into production to enable speed and not slow down a DevOps methodology, and to use the ability to quickly patch vulnerabilities as mitigating control,” he explained.
Another key question is when a company is better off outsourcing a key service or product to a more experienced third party, instead of relying on the internal development team. “If you can, use a reputable cloud service/app instead of building your own,” Rudis recommended. However, “If you do build your own apps, establish clear and effective software development practices from the start to avoid retrofitting broken, haphazard processes.”
“Either way, understand the complete supply chain just as you would the part suppliers in a physical supply chain. Even if you bought software and lightly customized it before hosting it on your own servers, it could be riddled with bugs,” continued Rudis, who also recommended strong access controls (including multi-factor authentication), segregation of systems and applications, reliable data back-ups and system redundancies, a system for accepting vulnerability disclosures and bug bounty reports, and a sound consumer notification procedure for when a security issue does arise.