My company’s CTO Marc Maiffret (a notorious hacker when he was a teenager before being raided by the FBI when he was 17 – but that’s another story!) has often commented on how the world of hacking has changed. Back then, hackers were mainly kids who did it for kicks, to see what was possible and maybe carry out a bit of hactivism. Today, hacking is more sinister, focused on cyerbcrime and nation-state attacks.
Yet at the same time, security technology has developed at an incredibly sophisticated pace, so why is hacking still so successful? Marc and I both agree that the debate around how to stop this new breed of hacking is often misguided and not focused on what really needs to be done. There is too much emphasis on the perpetrators of these crimes and their victims, rather than the real problem, namely the insecure software and technology that make successful attacks possible.
The know-how is there, so rather than giving the employees who accidentally open malicious emails a hard-time (just one example), the software industry has an obligation to provide enterprises of all kinds – large and small, private and public – with the protection that should be within anyone’s reach.
Surely they’re doing that already, I hear you say? Well, I could be castigated for saying this, but I’d argue that there are some large software companies who are perhaps not prioritising it as much as they should be. And that’s not surprising: large software firms with demanding investors are under a lot of pressure to be as competitive as possible. Engineers are being asked to design sexy new features and dare I say it, security isn’t usually seen as sexy.
Yet the reality is that so many security breaches are entirely preventable. When cyber-attacks are announced, the question should be how the attackers were able to put a virus or another piece of malware on a system in the first place. In many cases, it begins with attackers exploiting a software vulnerability or weakness in order to install their malware.
That becomes an open door for hackers to get inside some of the world’s most widely used software systems. Several of these weaknesses were exploited in high-profile computer virus and worm attacks.
It’s not easy, but it’s do-able
Earlier I said that the majority of security problems are preventable and while I stand by that, I have to also say that securing software isn’t child’s play. To do it well, means creating multiple ‘barriers to entry’ and keeping those defences up to date. It also means having a robust security strategy that is built on strong foundations (while the latest cool security technology may have a place, it needs to fit into a bigger picture). Above all, security must be seen as an integral part of any software development.
Bill Gates himself set a good example over a decade ago. After Microsoft’s software vulnerabilities drew significant negative attention, Bill Gates himself addressed the issue in 2002 in his now famous “Trustworthy Computing” memo, in which he made it clear to all employees that the company’s future depending on building software and a platform that could be reliably secure. It was more than talk: in the decade or so since, Microsoft fundamentally changed its software development process to make security a core part of the program.
Unfortunately, the same cannot be said of all companies. The security holes within Oracle’s Java are well-publicised, so much so that the US’ Department of Homeland Security recommends that its users completely disable the software in their browsers. Adobe, provider of Adobe Reader and Flash, has been subject to its software being used as a gateway for cyber-attacks, although Adobe is working hard to improve technology security.
The reality is that any computer or network is only as secure as the weakest link, so one single piece of badly protected software can make the whole network/system/IT landscape vulnerable. So what needs to be done?
1. Companies need to co-ordinate with other software developers – they need to work together to identify and close doors to vulnerabilities
2. Security is not an add-on or marketing gimmick – it needs to be at the core of every software development project
3. Software companies – and their customers – need to realise that the vast majority of vulnerabilities are entirely preventable, so they should take steps today, rather than continuing to ignore the security elephant in the room. Focus on dealing with the insecurities in software, not the perpetrators.