No long ago, a senior executive from one of corporate Americas large bellwether stocks received a telephone call from law enforcement, explaining that the company had a major software vulnerability in its corporate web site. The agent described the vulnerability and its location in great detail and requested that it be fixed immediately. But he refused to disclose how he knew.
At the executives request, the organizations chief information security officer (CISO) investigated the matter, confirmed the flaw and fixed it. Through forensics, the CISO discovered that a foreign government had penetrated the organisations applications infrastructure and was in a position to bring it down whenever the time was deemed right.
Cyber security is no longer just the job of IT. As the true story above highlights, cyber crime today is a silent, invisible battlefield. The anonymity and universal access of cyberspace makes cyber crime attractive and easy. If customers, partners and employees can access sensitive systems from anywhere in the world, then the same pathway to the core infrastructure and priceless data exists for hackers as well.
Defending against cyber crime is costing billions of dollars. According to Gartner, organisations worldwide spent $288 billion on information security products in 2007. The US Government is allocating $7.9 billion in 2009 for cyber security, which is $103 out of every $1,000 requested for IT spendingup 75 per cent from 2004. US companies spent $79 billion in 2007.
But is all this investment making an impact? Consider:
• The Web Application Security Consortium project analysed 31,373 web applications and discovered that they contained 148,000 vulnerabilities.
• Between 2001 and 2007 180 million credit card records were stolen.
• The Washington Post reported that by August 2008, the number of successful data breaches had surpassed all breaches from 2007.
Whats not working? Businesses build applications to store, process and transact money and data for the sake of efficiencybut they often failed to properly defend these applications. As business modernized, software security didnt. And hackers have sniffed out the weaknesses. Traditional cyber defensive measuresincluding firewalls and anti-virusdont protect against data breaches.
Application Security: A New Business Imperative
The days of hacking for fun are over. The new face of cyber crime has evolved in two ways:
• First, foreign governments are also after intellectual property, particularly in the military domain, and the internet is their portal into the applications and databases that hold these secrets.
Countries such as China, for example, have now become proficient in the art of cyber warfare and cyber espionage after setting up specific hacking centres to this end. North Korea, on the other hand, has invested in a hacking school, from which about 100 hackers graduate each year, while Russia fetes its cyber-savvy practitioners as national heroes. The rationale is, why invest vast sums in conventional weapons or risk international scandal if spies are discovered, when such operations can be conducted quietly online these days?
Sign up for Computerworld eNewsletters.