These new attacks routinely search for vulnerabilities that can expose confidential information, and attackers have begun inventing new exploits and techniques to circumvent a variety of existing security measures. As in most successful espionage attempts in the past, hackers are seeking out and delving into the weakest links in the security chain that they can find. For today's attackers, that weak link is more and more likely to be a vulnerability they can identify in computer systems and applications, through which they can access the protected data that is most useful to them. These criminals are interested in a wide variety of targets, ranging from classified government data, personal information, credit card numbers and bank account details.
New forms of information warfare and cyber-espionage have been emerging since the dawn of the Internet age. Several years ago, computer-based attacks traced to foreign servers succeeded in penetrating the defenses of multiple U.S. government and contractor networks, accessing sensitive national security data. It was a wake-up call for many people in the federal government. In spite of that, more recent news shows escalating cyber-espionage targeting sensitive military, government and business information. Organizations including the Department of Defense, NASA, and others as well as important defense contractors, all admit to regular, persistent cyber-attacks from sources all over the world. Identifying the true origins of these attacks and the scope of the data that hackers successfully steal is often difficult or impossible.
Over the past several years, attack techniques and objectives have matured, generating more intelligence and offering a deeper level of access into critical systems. While some hackers work alone hoping to identify and capitalize on unexposed vulnerabilities or design flaws before counter-measures can be created, others work in a collaborative environment, sharing or finding tips and tricks, often researching and publishing their interests publicly on the Internet. The increasing speed of information exchange makes this issue even more urgent as hackers across the globe continue to invent and execute new techniques to circumvent many of today's security technologies in their efforts to find and exploit the weakest links in the security chain.
To many security professionals, the identity and motivation of hackers that are gaining access to sensitive data is less important than identifying, prioritizing and eliminating the overall risk to their organizations caused by software security vulnerabilities. A new area of effort has been uncovering the pervasive lack of consistent security within applications, as this is an area which has critically improved the odds of attackers' success.
Best Defense
Hackers have always capitalized on the path of least resistance when attempting to circumvent security measures, and analysts estimate that applications now experience 75 to 90 percent of all new attacks. The combination of sophisticated, multifaceted threats and the insufficiency of a solely response-based defense posture have led to an evolution in thinking about security. As a result, the best defense against data theft is to understand and ensure the security of software applications in addition to protecting them once deployed.
Rather than solely reacting to security breaches, those in charge of sensitive data must turn their attention to shoring up these applications before they become liabilities. The network perimeter is no longer the first line of defense, as it has become, in many cases, a speed bump in the path of the attackers' progress of expoit. In much the same way that industry guidance and regulations are driving more rigorous examination of the treatment of private and sensitive data, government agencies must also move to the next level of understanding software and driving towards real software security assurance.
Responsible security personnel across verticals must recognize that this problem cannot wait. With new applications being deployed to serve new needs and audiences with unnerving regularity, the problem grows daily. Today's information security managers must factor the security of their applications into their overall risk management operation, presenting them with an appropriate and layered security approach that recognizes the unique vulnerabilities and requirements of each area of the infrastructure, from the perimeter to the applications themselves. In so doing, they will be able to provide appropriate safeguards and protection at all levels, and strengthen the weak links in the information technology chain.
Jack Danahy is founder and Chief Technology Officer of Ounce Labs and one of the industry's most prominent advocates for data privacy and application security. Jack is a frequent speaker and writer on information security topics and has been a contributor to the U.S. Army War College, the Center on Law, Ethics and National Security, the House Subcommittee on Information Technology, and he leads the technical development of the Ounce 5.0 source code analysis tool. His blog can be read at http://suitablesecurity.blogspot.com/, and he can be reached at jack.danahy@us.ibm.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it .
View the article at Computer Technology Review at http://www.wwpi.com/top-stories/7112-defending-sensitive-information-from-evolving-threats-of-cyber-espionage
