Matthew Butler (Entelect Software: General Manager)
Have we not learned to detect, protect and mitigate against these types of intrusions? If so, as a customer without technical know-how, how do you trust a software vendor to provide secure and trustworthy systems?
Entelect Software takes a look at a few angles on this topic:
With a rough estimate of the total number of active websites online as of March 2015 sitting at 1.2 billion – and the explosive growth seen over the past 5 years - the reason we see so much bad press is surely partly due to the sheer volume of public facing web presences being deployed into the wild.
Ultimately, the more websites we have, the more exposure there is, and there more news there will be of one or another organisation becoming a victim to web security related incidents. Given this vast web of information available via the internet, this volume also makes it an attractive target. Particularly with almost all developed-world banks having online services, and the spread of social and personal information online, it’s hard not to stumble upon something valuable to somebody.
A second side to this debate, and often the one which frustrates consumers and organisations when they are the victim: why was I targeted?
Access or theft
In general, we think of security when we have something to protect - our cars, homes, possessions and, in the case of web applications, data. If your web system stores or processes data of value, such as payments, personal information, passwords or anything remotely confidential, then it needs to be protected. This information has value to somebody, so there is a clear motive here.
It’s forgivable to think that your systems are safe because there is nothing stored within that is of value to anybody else, or where the data is all publicly available anyway. Unfortunately, there are still two remaining motive’s that will take advantage of this thinking – vandalism, and infrastructure.
Vandalism of web sites is an unfortunate reality – where the motive is purely one of challenge, fun or an attempt to embarrass or expose the victim. Vandalism motives can range from inconvenience and petty meddling to full scale sabotage and ransom (seen in political and corporate breaches recently).
Infrastructure is a more interesting motive. In today’s highly connected networks, there are often many more uses for server hardware than the systems or data hosted within. The most prominent one (when the data isn’t the actual target) is to stage and execute more malicious attacks on other targeted victims. Using ‘botnets’, large numbers of compromised and synchronised servers or computers online, large scale attacks such as are possible
This paints quite a grisly picture, but there are answers to be found. The truth is, like many things in the Information Technology industry, there is a cost/benefit ratio to be considered for the approach to protection.
Ultimately there’s nothing to be done about the volume of websites and the growth of the industry so there is little to be done to curb statistics that way. Looking at each motive, we can however start to position various possible protections.
The good news is that on one side of the spectrum is a mix of motive and risk that we can be proactive about. A staggering amount of web-based security breaches are perpetrated via automated tools or bots that are constantly scanning the web for vulnerabilities to exploit. These are, at any point in time, often only a handful of risks.
Knowledge of these vulnerabilities equips a development team with the critical eye required to identify risks early, and close those gaps long before the system sees production. Since these vulnerabilities change fairly frequently – along with new technologies and tools – running once-off training courses or seminars rarely has lasting effects. It makes more sense to us to bake this awareness into the day to day development processes.
As a software development company, Entelect takes an integrated and active approach to security, we believe that awareness and visibility of these vulnerabilities throughout development, but especially at the start, are the most effective way to build secure systems. Building security into a web application after it is done, in our experience, is vastly more difficult, and costly, and less effective, than including it in from the ground up.
A key resource we recommend to this end is the oWASP project. Found at https://www.owasp.org, this organisation is a non-profit with a mission “to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.” Their yearly ‘top-ten’ projects, in particular, help to identify and indicate the most prevalent security flaws, most of which are very easy to close, or at least provide the knowledge about them so as not to remain ignorant of the risks.
This is the more scary side of motive, and the one that most frequents the headlines – deliberate breach for theft of data. With the high end of the scale being the banks and financial institutions who are obvious targets for fraud and criminal activity.
The bad news is that highly organised and targeted attacks are often extremely difficult (read: costly) to detect or prevent. In this situation, if the organisational objective is to feel completely covered from any and all vulnerabilities, the capital and ongoing costs can quickly escalate. These costs are for specialised hardware, regular penetration testing and security audits, software development, and ongoing expert consulting.
In conclusion, it is clear to us that security as part of Software Development is so important. Luckily, it’s also quite straight forward to achieve thorough coverage. With only a relative minority of systems being deliberately and maliciously attacked, the remainder need to take more care. More care with learning, evaluating and mitigating web vulnerabilities, based on their chosen technologies. Awareness is critical – notably awareness of the current generation vulnerabilities that are being easily exploited through automated attacks. Secondly, remedial action applied early and often during development, to evaluate and close any vulnerabilities through technology or features will go a long way to taking your systems off a malicious user’s radar.