Cyberspace. The freshest frontier.1
These are the voyages of the cybership n00b, on its continuing mission to seek out new synergies and explore new business relationships. To boldly go where no information security model has gone before.
If companies don't smarten up and start taking security seriously, they might find that the tech frontier can burn them worse than they can possibly imagine.
This is what happened to Sony Pictures2. This is what happened to Lenovo3. And if it happened to those companies, it can happen to yours.
There are a few things your company can do that might help prevent a catastrophic embarrassment.
Don't Fear The Auditor
External review of your company's products and infrastructure by a qualified security auditor or team of auditors will likely reveal a lot of areas of concern that you wouldn't have considered. A detached and objective viewpoint is invaluable when you're creating software and hardware.
Some companies never consider hiring auditors because they fear the "embarrassment" of revealing the flaws in their products, or because the findings might be too expensive or time-consuming to fix.
The outcome of the Sony and Lenovo incidents fully demonstrate the fact that NOT finding and fixing problems is a greater expense. Possibly even a catastrophic expense, when the value of a company's reputation is entered into the equation.
So, it shouldn't be embarrassing to hire an auditor - it should be embarrassing not to. And failing to act on their findings, if one is hired, should also be embarrassing in most cases.
Until you know the flaws, you can't hope to fix them. Once you identify issues, you can learn from them and try to adapt your company to prevent similar flaws going forward.
Hire An In-House Expert
For various reasons, external auditors might not get complete behind-the-scenes access to your company, and this is where an on-staff information security expert helps. Having an expert on-staff means that you have skilled eyes trained on not only your code, but also your internal processes and infrastructure.
They can spot weak points and raise a flag. They can educate coworkers about human-hacking tactics like social engineering and phishing, and teach them how to avoid being tricked into granting access to intruders. An on-staff expert can also offer training to other employees who might be interested in learning more about information security.
When going this route, it is important to keep the expert's training and skills current and sharp. They need access to training resources and sponsorship for security conferences. Because they will be your eyes and ears into the dark abyss of information security, it's also important to give them time to network and communicate with their peers.
Above all else - if the in-house security expert raises a red flag, LISTEN TO THEM. It could save your company.
Hackathons That Actually Involve Hacking
Some companies have internal and external "hackathons" which are coding marathons for adding functionality to products or creating whole new projects. If hackfests were held that actually involved hacking the company's products and infrastructure, problems might be exposed and corrected long before they make the company vulnerable to security threats.
Companies could even benefit from a "Red Team" concept, where you build a small team of white-hat hackers to run penetration tests on your products, infrastructure, and services.
Hacking As Part Of The Lifecycle
Many software and hardware companies have an established workflow for their projects. Things usually transition from a design phase to development to testing, and so on until the product is ready for release.
In other cases, workflow steps will repeatedly loop back to the beginning in order to incorporate feedback and research findings.
Both of these workflows would benefit from a stage where the software (or hardware) is tested for vulnerabilities, in addition to the normal testing for meeting the project specifications. This could be coupled with the hackathon or Red Team ideas as a way to familiarize everyone on the team with common threats and how to pre-emptively combat them.
Maybe once we incorporate the skills and techniques of hacking into our daily routines, we'll finally make some headway in building secure systems.
- Space will always be the final frontier, but you can't even get there without Garibaldi running security.
- Although North Korea was initially blamed for the Sony Pictures hack, further finger-pointing has variously assigned blame to ex-employees or Russian superhackers. Regardless, the amount of data exfiltrated from Sony's systems was astonishing and likely should have been noticed while it was in progress.
- Lenovo technically wasn't hacked, but made an ill-advised decision to partner with an Adware company to bundle software on new computers. Trust is something earned, not bought, so Lenovo's choice to value an adware relationship over their own customer reputation was a poor idea to begin with. It just so happened that the adware maker was gravely incompetent and shipped software that rendered computers highly vulnerable.
Published: February 22, 2015