There has been a rash of very public hacks against some very large organizations over the last few weeks. They have resulted in gigabytes of data being stolen.
The stolen data include millions of customer records, login credentials and passwords, credit card numbers, virtual money etc. These hacks have brought down popular websites, some for several weeks while the owners tried to remove vulnerabilities. Every one of these hacks has raised questions on the effectiveness of the security put in place by these organizations.
How is it that in this age, when we have security products that are so sophisticated, we are being clobbered by waves of successful attacks? The answer seems to lie in the fact that we seem to be relying too much on technology. With things being connected in ways that people did not even dream about 10 years ago, the number of people that are connected to and have access to data stores (or databases) has grown exponentially.
But not all these people are aware of all the security implications of their access. Security education has lagged, probably due to the sheer speed with which new people are being added to the internet, while attack vectors have multiplied.
Security departments are constantly stretched. They have new firewalls to support, new users to manage, new appliances to troubleshoot on their networks that they do not seem to be doing a good job doing what they are supposed to be doing. Properly securing their networks.
While previously, organizations were firewalled islands with a few apps exposed to the internet, there are companies now that provide all sorts of services over the web. Over the last 2-3 years, there has been an explosion in the number of web apps that do all sorts of things, from managing your finances to letting you know when to buy milk. The dramatic increase in the number of apps has resulted in a lot of people taking up programming and building apps.
The problem is that many of these developers are not following security best practices for application development. In my job as a security consultant, I run across so many organizations where the primary concern is to bring their app to market. As long as the app does what it is supposed to do, they are satisfied. They do not bother to think what would happen if someone manipulated their application to do what it was not supposed to do.
Some of the biggest attacks have turned out to be application hacks, such as SQL Injection or social engineering attacks using phishing, which have been around for a long time. Sony, for instance, has been particularly vulnerable to SQL Injection attacks. The RSA attack on the other hand was a spear phishing attack. An interesting fact is that the data stolen during the RSA attack was used to launch an attack on Lockheed Martin. The perpetrators were clearly looking for defense secrets.
This brings another factor into play. Nation states targeting organizations. While these are only allegations, we do have the Google email hack, the Tibetan government-in-exile’s computer hacks, Stuxtnet worm, etc as precedents. What is a is a security engineer to do when going up against highly trained teams of hackers? Well, they cannot go against all these threats alone. Organizations have to face these challenges as a single unit rather than just leave it to the security engineers.
Some of the things that can be done to prevent these hacks:
- Every employee in the organization has to realize that they can be the entry point for hackers into the organizations and be aware of their actions.
- Follow industry standard best practices for app development, network configuration, system configuration, etc. Most of them have gone through multiple iterations over the years and contain some very good advice.
- Be pro-active and make sure that their developers and engineers are trained to identify and respond appropriately to security incidents. Write bug-free (at least less buggy) code, make sure that systems do not leak information that can be use din further attacks.
- Policies, procedures and processes play an important part in preventing security incidents and should be kept up-to-date. Standards such as PCI DSS require this, but they are, in a lot of cases, done to get compliance rather than to keep the organization secure.
The bottom-line is that you cannot secure an organization in a day or two. There is also no silver bullet that will suddenly make everything secure. A culture that incorporates security into everything must be developed. And that takes time. It also requires the management to come up with strategies to imbue security into every employee.