2012-03-01
Abstract
'Companies and governments need to hack themselves first.' Jeremiah Grossman, WhiteHat Security.
Copyright © 2012 Virus Bulletin
Everyone who uses the Internet is affected by inherent security problems. Last I heard there are about two billion people online. I’d be willing to bet that the vast majority have had their computers hacked at some point and subsequently been infected with viruses, had online accounts taken over, or else they know people who have.
When it comes to hacking businesses and governments, computer breaches may even be more common than for the average individual. Professional cybercriminals are not only after money, they also seek to steal intellectual property, trade secrets, even military capabilities – all things vital to our economic well-being and national security. It’s time we got serious about this problem.
The new threat landscape requires a different defence approach because laws against hacking have little impact when the perpetrators are transnational. And unfortunately, international law enforcement is ill-equipped at best. Safeguarding the Internet requires a whole new way of thinking. The solution: companies and governments need to hack themselves first.
My first step onto this path of realization came more than a decade ago when I hacked my own Yahoo! Mail account, just to see if I could. There was a way (several ways actually) to get into my inbox without even needing a password. But instead of exploiting the vulnerabilities, I let Yahoo! know the details – promptly and privately. Yahoo! was able to fix the issues and safeguard its mail users. Being proactive prevented a serious security breach and public relations nightmare.
A dialogue followed – hack Yahoo! before the ‘bad guys’ do – and I was offered a job. Yahoo! was open to hacking itself first. There are other companies taking this approach, like Google, Mozilla and Facebook, yet the majority of companies and governments rely on network and endpoint-security measures because they are mandated by compliance standards.
Compliance standards, generic as they are, really don’t take into consideration an organization’s actual security needs and, instead, apply a one-size-fits-all mentality that results in misplaced security spend. It also results in internal complacency for the business that thinks that checking a compliance box equals security. Because compliance standards impact companies differently, the outcomes related to following a compliance-only security programme are often detrimental, the opposite of the intended goal. For example, some organizations determine that the financial implications of non-compliance are less than the costs associated with compliance and decide to ignore the regulation despite a notification to comply.
However, government and/or industry-mandated regulations are only one barrier to protecting individuals, corporate intellectual property and national security. The other barrier is the traditional, outdated attitude toward security that asserts that firewalls and anti-virus software provide sufficient protection. They don’t.
The majority of recent security breaches have been the result of web application vulnerabilities, an avenue of attack where firewalls and malware detection are of zero value. AT&T, Citigroup, PBS, NASDAQ, the CIA, Siemens, Electronic Arts, and the websites of thousands of others have been breached in just the last year, and most likely they were all stockpiled with traditional ‘best-practice’ controls. On an average commercial website, our labs can identify one or more security gaps, usually in under 20 minutes.
Some companies are taking steps toward identifying web application vulnerabilities by hacking themselves – the aforementioned Google, Mozilla and Facebook reward hackers that notify their security teams about security issues, collectively handing out millions in rewards so far – but this is just the first step.
The next step requires more security spend to go toward web application security given all the applications that users run on the web. The reality is that a problem as diverse and wide reaching as cybercrime cannot be solved by any one defence mechanism, but I’ll tell you this: protecting the Internet requires a completely new way of thinking that goes beyond traditional security spend, current laws and compliance regulations if we want to see any measurable progress.
