Protecting Sensitive Information from the Next Wave of Attackers
By Jack Danahy
While these attacks are by no means unique, they serve to illustrate that the profile of today’s hackers has matured. The days have passed when attackers were categorized simply as amateurs content to deface Web sites. Cyber espionage now specifically targets sensitive military and business information at the Department of Defense, NASA, and many other government agencies and contractors. Attackers routinely search for vulnerabilities that expose confidential information by inventing and using new techniques to circumvent many of today’s security measures.
As network security improved and private networking technologies have become more widely adopted, the preferred targets have become the applications themselves. Analysts estimate that today’s applications experience almost 75 percent of all new attacks.
Beyond threats to mission and operational strategy, there is also tremendous profit in the sale of sensitive information. Personally identifiable information, such as social security numbers or bank accounts, is one target, while sensitive government classified information is another. The identity and motivation of the buyers are less important than the pervasive lack of consistent security within, and across, applications that virtually ensures the attackers’ successes and then obfuscates their true origins.
The attacks have matured, generating more intelligence or better access for attackers. Today’s end users are consistently bombarded with malware, viruses, phishing attacks and other social engineering attempts. Systems are infected with root kits, keystroke loggers, logic bombs and spyware. The most successful attackers combine the latest tactics -- including cross-site scripting (XSS) and injection attacks -- with rapid exploitation of newly discovered security weaknesses, allowing them to take advantage of busy network and system operators who are often one step behind them.
As a result, the best defense against the theft of sensitive data is understanding and ensuring the security of the applications themselves. Rather than taking a solely reactive posture, those in charge of sensitive data must turn their attention to shoring up weak applications before they become liabilities. In much the same way that industry guidance and regulation are driving more rigorous examination of the treatment of private, sensitive data, government must move to the next level of understanding and assurance.
Fortunately, the government is beginning to make the connection between national security, data security and application security. Homeland Security Secretary Michael Chertoff, while admitting that the U.S. still has significant work to do in the area of cyber-terrorism defense, has worked closely with the White House to identify new areas for investment, including a recently-added $6 billion line-item to build a secret system to protect against emerging digital threats.
While that effort continues, responsible security personnel must recognize that this problem cannot wait. Today’s government information security managers must factor the security of their applications into their overall risk management operation, allowing them to adopt an appropriate and layered security approach that recognizes the unique vulnerabilities of each area of their infrastructure -- from the perimeter to the applications themselves. In so doing, they will be able to offer appropriate safeguards and protection of sensitive data at each level. They must also take the time to address vulnerabilities at the newest and often least protected point in their systems -- the applications themselves -- in order to protect critical and sensitive information in advance of these growing digital threats.
Jack Danahy is founder and chief technology officer of Ounce Labs and an industry advocate for data privacy and application security. He can be reached at: .
- Add your comment
- trackback url: http://www.gsnmagazine.com/cms/trackback/685-1
