Hacking The Corporate Cover-Up Date: Friday, October 24, 2008 Source: Rob Rachwald

Not long ago, a senior executive from one of corporate Americaâs large bellwether stocks received a telephone call from law enforcement, explaining that the company had a major software vulnerability in its corporate web site. The agent described the vulnerability and its location in great detail and requested that it be fixed immediately. But he refused to disclose how he knew.   At the executives request, the organizations chief information security officer (CISO) investigated the matter, confirmed the flaw and fixed it. Through forensics, the CISO discovered that a foreign government had penetrated the organisations applications infrastructure and was in a position to bring it down whenever the time was deemed right. Cyber security is no longer just the job of IT.  As the true story above highlights, cyber crime today is a silent, invisible battlefield.  The anonymity and universal access of cyberspace makes cyber crime attractive and easy.  If customers, partners and employees can access sensitive systems from anywhere in the world, then the same pathway to the core infrastructure and priceless data exists for hackers as well. Defending against cyber crime is costing billions of dollars.  According to Gartner, organisations worldwide spent $288 billion on information security products in 2007.  The US Government is allocating $7.9 billion in 2009 for cyber security, which is $103 out of every $1,000 requested for IT spending up 75% from 2004.  US companies spent $79 billion in 2007. But is all this investment making an impact?  Consider: The Web Application Security Consortium project analysed 31,373 web applications and discovered that they contained 148,000 vulnerabilities.  Between 2001 and 2007 180 million credit card records were stolen. The Washington Post reported that by August 2008, the number of successful data breaches had surpassed all breaches from 2007. Whats not working?  Businesses build applications to store, process and transact money and data for the sake of efficiency but they often failed to properly defend these applications.  As business modernized, software security didnt.  And hackers have sniffed out the weaknesses.  Traditional cyber defensive measures including firewalls and anti-virus dont protect against data breaches.  Application Security:  A New Business Imperative The days of hacking for fun are over.  The new face of cyber crime has evolved in two ways: First, foreign governments are also after intellectual property, particularly in the military domain, and the internet is their portal into the applications and databases that hold these secrets. Countries such as China, for example, have now become proficient in the art of cyber warfare and cyber espionage after setting up specific hacking centres to this end. North Korea, on the other hand, has invested in a hacking school, from which about 100 hackers graduate each year, while Russia fetes its cyber-savvy practitioners as national heroes. The rationale is, why invest vast sums in conventional weapons or risk international scandal if spies are discovered, when such operations can be conducted quietly online these days? Second, the amount of money that can be made from online fraud and theft at relatively little risk compared to operations in the physical world inevitably makes such undertakings attractive. This means that both individuals on the make and organised crime are now becoming involved. And a very sophisticated industry is also developing around the pursuit. Consider how the opponent has mobilized: In recent years, a growing number of hacker match-making sites have sprung up. These act in a similar fashion to a brokerage firm and bring people with a range of different skills together to target organisations more effectively. There are also various web sites that publish software vulnerabilities and make the hackers job all the easier. Hackers develop and sell automated hacking tools. Business Software Assurance The Achilles heel that has allowed this evolution is that applications are only as good as the software developers that wrote them.  And most of those developers are not responsible for security. So what can organisations do to protect themselves from the hacking threat more effectively? The first thing is to adopt a Business Software Assurance approach for information security. BSA offers a good foundation to understand what threats and vulnerabilities could impact the business and what the likelihood is of problems occurring. BSA involves introducing a formal methodology to help to determine what the real risks are. This enables businesses to focus on their true needs by formally documenting processes in order to ensure that issues do not end up falling through the cracks.  As part of the BSA process, it is crucial to gain an understanding of just how exposed the organisations systems are. The aim is to remove any flaws from the code in order to make it impenetrable to attack. More importantly, it is about adopting an inside out strategy that tackles root causes as opposed to simply employing outside in tactics that involve putting a protective wall around the problem. As the world has moved online, it have brought all of its vices with it.  An entire economy has sprung up online to support and feed a cycle of fraud and theft that leeches untold strategic and monetary value from supposedly safe data warehouses, and costs further billions to defend against with limited effect.  The only path out of this reckless cycle is a strategy that focuses not only on the criminals that are after your data, but the vulnerabilities in your software infrastructure that they turn against you. Written by Rob Rachwald Director of Product Marketing - Fortify Software www.fortify.com   Courtesy of SecurityOracle.com - The Secury Industry's Portal