Software developers will play a greater role in ensuring enterprise security in 2012. Enterprise IT departments are no longer the only folks on the hook for locking down corporate networks.
Richard Clarke, former chief counter-terrorism advisor to the president and author of the book “Cyber War,” said that the threat landscape is changing. The actors are varied in their trade and more innovative. He pointed out that criminals are becoming very talented at breaching networks through Web and third-party applications. The advent of the cloud and its inherent multiple environments can leave backdoors unintentionally open, making them even more enticing.
This means that software development managers must begin testing their applications as thoroughly as IT tests its security infrastructure. These changes, along with the ramifications of impending government legislation, will significantly affect how developers look at application testing.
In a recent industry vendor-hosted webinar, Clarke, who has 19 years experience in the Pentagon, the White House and the State Department, called 2011 “The Year of the Breach.” Stories of attacks flooded the news. He described them as being tossed into the media melting pot, and spit out like they’re all one type of attack or from one attacker.
But, he pointed out, “They’re not the same. It’s not all big, bad China, all 1.3 billion Chinese attacking us. It’s important to distinguish among the actors and attacks. You can’t respond in a generalized way to the ‘Year of the Hack.’ You must respond to the specifics of who’s attacking and how you’re being attacked.”
Four kinds of crime
Clarke invented an acronym, CHEW, to describe the four pre-eminent types of attacks as he sees them.
C stands for crime. Cyber crime accounts for more revenue than international cartel drug income, claimed the U.S. Treasury. Income estimates run in the hundreds of billions per year. Cyber crime used to revolve around stealing credit card numbers, but now they’re hacking into companies and taking over Accounts Payable. For example, in the Coreflood case, criminals cut checks to themselves, for US$150,000 and up, to offshore banks in the Cayman Islands.
H belongs to “hacktivism.” Examples of hacktivism include WikiLeaks and political protests using Web application vulnerabilities, SQL injections and directory traversal. They’re meant to politically embarrass corporations, not necessarily steal from them.
The E is for espionage, which doesn’t get the attention it should, Clarke said. U.S. intelligence communities have declared it a much larger problem that extends past governments spying on governments. It includes criminals hacking their way into corporations and stealing anything of value, like software code, customer lists, formulas, etc. He made the point that it’s impossible to be competitive when a company’s project is stolen and then brought to market by the thieves faster than the rightful owner can release it.
Thefts like these are something that develop over time. Incident response firms inevitably find evidence of longstanding penetration during their investigations. These are known as “advanced persistent” threats because they’ve been lurking in the corporate IT structure. Knocking back these attacks using traditional methods like IDS, IPS, AV, token and certificate authorities used to be effective. Problem is, they are no longer working as well because the criminals are going after these defense systems. Much of their access is coming through being able to infiltrate the network via software vulnerabilities.
W stands for war. Clarke admitted that he’s been accused of hyping it, but defended his position by saying that current U.S. Secretary of Defense Leon Panetta and other federal and global power brokers share his view.
About 20 to 30 countries, including the U.S., have formed cyber war units. The Pentagon has also established a huge new organization, designed for offensive purposes, called the Cyber Command; it is of composed of the Army, Navy and Air Force. The U.S. Defense Advanced Research Projects Agency is also developing offensive tools.
Clarke said that no legislation has been passed to date, although Congress has conducted numerous hearings. But the day when they can afford to turn a blind eye is, by its own acknowledgement, over. In November, U.S. Senate majority leader Harry Reid announced that cyber-crime legislation currently in committee would be debated on the floor in late January 2012.
Additionally, and very importantly for developers, the Securities and Exchange Commission recently said that if a publicly traded company has been breached in a way that might materially affect the value of its stock, it must disclose this publicly. Every major company has been hit, even though they have spent millions of dollars on traditional protection, according to Clarke. For developers, this is a game-changer because it reinforces the responsibility for security of a corporation’s business on them.