The changed face of cybercrime
The past few years has seen a major change in the world of cybercrime. The sheer number of crimes has increased substantially, but that's not the whole story. Merely increasing the amount of money and people that your company throws at the problem is no longer enough to keep pace with the changes. Cybercrimes, and the cybercriminals that perpetrate them, have evolved. To protect your company from the new wave, your methods and attitudes must evolve too.
Just 4 or 5 years ago, cybercriminals were mostly young male nerds who did it for fun or experimentation. They weren't out to profit from their endeavours. They simply wanted to impress their peers (or girls, in a small number of cases). They didn't want to steal money or cause major disruption, but introducing some minor irritations was a legitimate part of the game. Changing the company logo on a web site was acceptable. Crashing the entire system and demanding money to return it to normal was never an option. Hacking was done to earn bragging rights and to boost egos. It was a couple of notches up the intellectual ladder from trainspotting. Crack a system, enter the details into your well-thumbed notebook, then move on.
But the golden age of hackers and cybercriminals has passed. Today, e-crime is the domain of organised gangs, often from eastern Europe or China. They have just one motive. Gone is any desire to embarrass website owners or cause mindless e-vandalism. Now it's all about making money.
The main targets of today's hackers are e-commerce web sites and the customer databases behind them. Databases that hold credit card numbers, expiry dates, PINs, addresses, and everything else that's needed to empty a victim's bank account. Their operations are so slick that stolen data is exploited within seconds of it being submitted by unwitting victims.
A total of 143,757,645 database records have been reported to have been compromised since 2005, yet many incidents go unreported and unnoticed. Some 40 per cent of those involved in IT security can't put a figure on the number of incidents that their company has experienced.
The big growth area in e-commerce right now is in the use of web-based applications to replace traditional over-the-counter or telephone-based transactions. Hackers have, understandably, latched onto this. According to Gartner, 75 per cent of security breaches are due to flaws in software. Primarily because those applications have been put together as quickly as possible in order to get a working system out there, without due regard being given to the security implications.
As the hackers continually attempt to up their game, the securities and futures industry in the US recorded, in 2007, a 150% annual increase in the amount of suspicious activity detected on its systems. During the same period, research carried out at the University of Maryland found that a computer system connected to the internet was typically subjected to an attempted hack every 39 seconds.
"Today's cybercriminals are highly sophisticated", says Roger Thornton of Fortify, an IT security company. "Their technical expertise is extremely good, as is their knowledge of the systems they're trying to break into. They know the thresholds at which an online ordering system will seek additional verification of a customer's identity, and take care to stay below it when placing fake orders.
"They also have at their disposal the resources of large organised crime gangs who are fully aware that the world's police forces are woefully under-resourced for tracking down internet fraudsters."
According to Garter, 90 per cent of IT security spend is on perimeter security such as firewalls. But maybe we're doing it all wrong. After all, conservative estimates put the total annual IT security spend in the US at some $50 billion. Those same estimates suggest that losses due to e-crime are running at around $100 billion. We're spending 50 billion to lose 100 billion. As ROIs go, it's not a particularly good one.
A firewall will happily let someone access an insecure Web application if they meet all the criteria for being allowed in. Surely this can't be allowed to continue. We need to focus our efforts into building secure applications in the first place, which can't be compromised. Perhaps the decision on whether someone should be allowed to use an application should be based on whether that app is secure, not on the user's IP address or the port they're trying to connect to.
As the move to online applications expands beyond online shopping, the need for secure applications will become even more important. If an e-voting application allows someone to vote twice if they enter a couple of thousand random characters as their surname, a firewall isn't going to help.
So how can we make our web-based applications more secure? Historically, software developers have always been so immersed in trying to make the software bug proof and resilient they have overlooked the security side. It is now time to change this approach.
We need to put more effort into designing secure applications, and to use proper procedures (as well as automatic software solutions) to help test them. This means tackling the developers, and readjusting their attitudes.
In the past, software developers have concentrated too much on availability. If their system appears to work most of the time, they're happy. They're fully aware that their code isn't perfect but they don't see a need to do anything about it. "If someone wants to enter a credit card expiry date of -1 and crash the application, that's not our problem", they say. It is, and someone has to tell them.
A 2007 report from NTA Monitor found that 90 per cent of UK-based company websites harboured at least one weakness that could allow hackers to gain unauthorised access. The same research also found that one third of those websites exhibited vulnerabilities which are known to, and used by, hackers across the web. No doubt the hacker community has been busy discovering how to exploit the other two thirds.
So how can we make developers see the world from our point of view?
First, consider rolling out a programme of security awareness training so that they understand that security is just as important as availability. Explain why it's so important to develop applications which are both secure and functional.
Second, concentrate on best practice. Stress the importance of adhering to secure coding guidelines such as OWASP (the Open Web Application Security Program). Set up a programme of code reviews and penetration tests, so that potential security problems can be detected early and fixed.
Third, put some formal management practices into place. You need to be able to measure the effectiveness of your efforts. As they say in all the best textbooks, if you can't measure it then you can't manage it.
To assist developers in ensuring that they write secure applications, various companies produce automatic software solutions that can help. These include includes code analysers that automatically scan source code for possible security issues. Others sit between web browser and server on your development network, analysing data flows and highlighting any potential problems, such as an opportunity for a hacker to redirect a web form to their own site. As with antivirus and intrusion detection software, some tools are rule-based. Researchers continually update the database of known hacker practices, so that the software knows how to spot potential problems.
The internet is here to stay, as is internet crime. With the relentless move online by all sorts of business and government agencies, e-crime will continue to evolve. As more coffee shops and libraries offer free, anonymous WiFi access, tracking down cybercriminals will get harder. So as hackers evolve, so must your efforts to defeat them.
Richard Kirk, Fortify Software