This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Cyber security: the magic box myth

Share this article:
Cyber security: the magic box myth
Cyber security: the magic box myth

The increasingly shrill headlines on security breaches have made cyber security a top priority among policy makers and in boardrooms.

Despite spending an estimated $60 billion in 2012 on IT security products and services, we regularly see breaches where hackers have successfully penetrated defences. Yet the problem is most likely worse than we know; hackers are getting better than ever at not being detected.

A great deal of that spend is geared toward protecting our networks. It's tempting to think that we can secure our infrastructure by securing our networks. After all, networks are the conduits for attacks.

There has been a long history of vendors selling magic boxes that, if you only bought them and plugged them into your network, it would make your network secure and bad stuff would be filtered out with sensitive data kept in. Of course, you will need enough of these boxes to keep up with the network load generated, and that always goes up over time.

A similar approach also dominates for securing PCs and is now emerging for mobile devices. Every system gets a sentry that attempts to guard the machine from being tricked into doing something it shouldn't, keeps sensitive data protected, and gives control to a central IT organisation.

Yet over time, people have found problems in these approaches and attackers get smarter. It's expensive to build mitigations and once an exploit approach is discovered that can circumvent the latest variant of a smart sentry, suddenly that kind of sentry becomes much less effective. Hence the cat and mouse game continues.

A network-centric approach to security makes sense, especially for administrators of networks. More generally, IT security is what you get when you focus on what can be done by IT organisations. But if we're ever going to get a real handle on cyber security as a society, we can't limit our view to users of software. We need to go way back to when that software was made in the first place.

The problem of cyber security is that it has its roots in defective and badly designed software code. At least, that's the vast majority of the problem. If buggy software were factored out, we could drown the rest of the cyber security problem in a bathtub.

Let's take a look at an example. Recently, major financial institutions have come under denial-of-service attacks. On the surface, this seems to be a pure networking and capacity problem, but the reason the attackers were able to create the botnet in the first place was because they exploited a known vulnerability and used it to take over unsuspecting machines on the internet.

The machine you're using right now might be part of a botnet, acting like a zombie, sending requests on behalf of a shadowy attacker. How did it become the slave of some hacker? Maybe one day you visited a website that had malicious content.

That malicious code leveraged a defect in the machine's software infrastructure, such as your web browser or your word processing program. This defect essentially tricked your machine into following instructions from the hacker and from there, it silently installed itself and awaited instructions from its master.

Maybe you didn't keep your software up-to-date. Maybe you opened an email attachment you shouldn't have trusted. Maybe you just got unlucky (there are some vulnerabilities that don't require you to do anything other than be connected).

Then again, why would you expect that clicking on a document or web page, or just being connected to the internet, could result in your machine being taken over?

In a better world, you shouldn't. If we're ever going to solve the cyber security challenge, we need to strengthen the world's software infrastructure from within.

It won't be easy - there are billions and billions of lines of code out there. Yet until we are mature enough to realise that the security and reliability of our infrastructure is only as good as the code that makes it up, we will continue to stumble from patch to patch, weakness to weakness.

Andy Chou is co-founder and chief technology officer of Coverity

Share this article:
close

Next Article in Opinion

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in Opinion

Insiders can use whistleblowing tools to steal data without a trail

Insiders can use whistleblowing tools to steal data ...

The tools exist to by-pass many data leakage programmes and facilitate mass exfiltration of data, so enable internal whistelblowing - to avoid external access says Edward Parsons.

Know thy neighbour: Dealing with third-party cyber attacks

Know thy neighbour: Dealing with third-party cyber attacks

It'd not enough to protect your own network, you aslo have to be prepared to cope with third party negligence says Brian Foster.

The dungeon of the 'Deep Web'; where even the spiders dare not travel

The dungeon of the 'Deep Web'; where even ...

Charles Sweeney asks, are your staff inadvertently leaving the back door open via an innocent lunch-time browse?