The Cybercrime Evolution
The past few years has seen a major change in the world of cybercrime says Fortify Software's Richard Kirk. Just 4 or 5 years ago, cybercriminals were mostly young male nerds who did it for fun or experimentation. They weren't out to profit from their endeavours. They simply wanted to impress their peers. They didn't want to steal money or cause major disruption
But the golden age of hackers and cybercriminals has passed. Today, e-crime is the domain of organised gangs, often from eastern Europe or China. They have just one motive. Now it's all about making money.
The main targets of today's hackers are e-commerce web sites and the customer databases behind them. Databases that hold credit card numbers, expiry dates, PINs, addresses, and everything else that's needed to empty a victim's bank account. Their operations are so slick that stolen data is exploited within seconds of it being submitted by unwitting victims.
The big growth area in e-commerce right now is in the use of web-based applications to replace traditional over-the-counter or telephone-based transactions. Hackers have, understandably, latched onto this. According to Gartner, 75% of security breaches are due to flaws in software. Primarily because those applications have been put together as quickly as possible in order to get a working system out there, without due regard being given to the security implications.
As the hackers continually attempt to up their game, the securities and futures industry in the US recorded, in 2007, a 150% annual increase in the amount of suspicious activity detected on its systems.
"Today's cybercriminals are highly sophisticated", says Roger Thornton of IT security company Fortify. "Their technical expertise is extremely good, as is their knowledge of the systems they're trying to break into. They also have at their disposal the resources of large organised crime gangs who are fully aware that the world's police forces are woefully under-resourced for tracking down internet fraudsters."
According to Garter, 90% of IT security spend is on perimeter security such as firewalls. But maybe we're doing it all wrong. A firewall will happily let someone access an insecure Web application if they meet all the criteria for being allowed in. We need to focus our efforts into building secure applications in the first place, which can't be compromised.
So how can we make our web-based applications more secure?
We need to put more effort into getting the application designers to write secure applications, and to use proper procedures (as well as automatic software solutions) to help test them. This means tackling the developers, and readjusting their attitudes somewhat.
So how can we make developers see the world from our point of view? First, consider rolling out a programme of security awareness training so that they understand that security is just as important as availability. Explain why it's so important to develop applications which are both secure and functional. Second, concentrate on best practice. Stress the importance of adhering to secure coding guidelines such as OWASP (the Open Web Application Security Program). Set up a programme of code reviews and penetration tests, so that potential security problems can be detected early and fixed. Third, put some formal management practices into place. You need to be able to measure the effectiveness of your efforts.
To assist developers in ensuring that they write secure applications, various companies produce automatic software solutions that can help. These include includes code analysers that automatically scan source code for possible security issues. Others sit between web browser and server on your development network, analysing data flows and highlighting any potential problems, such as an opportunity for a hacker to redirect a web form to their own site.
The internet is here to stay, as is internet crime. With the relentless move online by all sorts of business and government agencies, e-crime will continue to evolve. As more coffee shops and libraries offer free, anonymous WiFi access, tracking down cybercrininals will get harder. So as hackers evolve, so must your efforts to defeat them.
Richard Kirk, European Director, Fortify Software
www.fortify.com
