Information Security & Importance – Part I
Information is a business asset and has a value. It can exist in paper, electronic, audio or video format. Earlier, information used to be managed using manual processes. However with the advent of computers and networks; information is managed using electronic means. Software becomes a tool for users to create, acquire, process, store, transfer, retrieve, transform and delete information.
The classical definition of security defines it as an activity to protect a building, nation or person. It talks about protection. We have security guard protecting company premises. In the convergence arena we cannot do business with only protection. We need to allow customers to meet our human resources; we need to allow prospective clients to visit our infrastructure. Definition of security is now changing from protection to controlled access. If there are 10 doors and if we want to build system by which all visitors are allowed from 5th door and if all visitors enter through 5th door then that system is secured.
Security standards define security as combination of Confidentiality – a process to ensure that only authorized users will have access to information, Integrity – a process of safeguarding accuracy and completeness of information and information processing facility and Availability – a process to ensure that all authorized users will have access to information as and when required and Accountability – a process to reestablish the acts with actors in such a ways that actors are unable to repudiate (deny) an act occurred.
Build Secure Software
All successful software attacks in past had a common enabler – software bug. Software bug shall not only be associated with writing code but it is also about how we are developing, hosting, maintaining and using software.
Not too long ago, safe & secure software was predominant requirement for aerospace, nuclear plants, medical instruments, aviation and financial institutions. Today scenario is changed, world is more networked than ever and software is the core component. Software runs essential services for our routine life such as electricity and water systems, vehicles, phone, television, ATMs and off-course computers so software failure directly impacts our life. For example, people use ATM without knowing which software runs it and imagine, due to insecure software bank server is hacked and you are unable to retrieve your own money or someone steals money from your account.
While critical transactions for insurance, banking, taxation, registration, shopping facilitated online, people are actually afraid of supplying personal data, financial records or medical information due to identity theft and associated cyber crimes.
Software systems are not considered as dependable and trustworthy as electricity, telephony or transport system until proven otherwise. A worst case example could be, if you remove few bricks from a building, it will remain as is however if you remove few bytes from software, it may not work. It is important for maintain trust of end users into software-intensive systems. It is possible only when we build secure software that perform what they are supposed to and nothing else under any circumstance.
Attackers and their motivations
Attackers have different motive to attack various assets. It could be fun, money, destruction, vengeance, espionage or terrorism. Following is categorized list of attacker.
Script kiddies are hobbyist who has little or no knowledge of security however they have access to security programs or exploits. Generally they use well known and widely available hacking techniques on extremely vulnerable system. They do it for fun or attract media.
It is the most generic term used for computer wizards who have thorough knowledge of the system internals and programs. Over a period of time its definition took gray meaning as many hackers started using their knowledge for gaining money or corporate espionage.
Crackers are skilled resources and have sound knowledge of technology. They use their knowledge to perform illegal or unethical activities. Their motivation is destruction. They do it in groups through competition and/or for fame.
They are hackers who are working as tools for political desire, religious blindness or extremist belief. They want to rule cyberspace, they threaten governments to fulfill their demands, they hack and use popular servers to demonstrate their views.
A completely opposite to them there are hacker groups that attempt to infiltrate or disable the information systems of organizations that are perceived to be hostile to the hacker’s country, they are known as patriotic hackers.
A hacker who attempts to infiltrate information system with an intention to learn the system’s weaknesses so that they can be repaired. They are security professionals and they are invited by companies to assess their state of security. They also do research on products and if they find vulnerability into product they report it to vendors to close loopholes.
70% of attacks happen by someone internal to organization and never get reported to community. Insiders not only have internal knowledge of information systems’ operations but also have access to it. They are trustworthy part of organization and if they start doing malicious activity, it becomes very difficult to trace it that is why Insiders are the biggest threat.
Vulnerability is a loophole in the system or application. Researchers discover vulnerability and announce it with proof of concept or vendors identify vulnerability through security breach. Before vendor releases patch if its exploit is available on web then amount of damage increases. So generally most of the researchers and ethical hackers follow responsible disclosure where they intimate the vendors first and when vendor is ready with patch, they announce the vulnerability in public.
If the attackers identify vulnerability, they use it to its fullest before the vendor releases a patch. Many attackers reverse engineer the patch and learn about the vulnerability and then they develop exploit to attack old (the ones that are not patched) versions. Historically the time between the announcement of vulnerability and attempted exploits of the vulnerability has diminished from months to a few days (approximately 6 days as of now) and some vulnerabilities are even exploited as “Zero-day”. Zero-day exploit is program that takes advantage of vulnerability on the same day (or before) that the vulnerability becomes generally known. Not all organization take systematic approach for patch management so when hackers are becoming faster at exploiting a vulnerability so before user apply patch if vulnerability is exploited then mass destruction may occur.
More about driving factors for software security, why businesses pay special attention to it and the problem with Software security coming up in next post in this series of Information security and importance. Stay in touch!