Information security should be the responsibility of the chief executive and senior management of an organisation, says Andy Prow of consultancy Aura Software Security.
It should be part of everyday business, and not left exclusively to the IT team.
When ICT development teams are under pressure they tend to skimp on security in favour of adding functionality to the system before deadline, he say. And a management team less aware of the risks will let them do so, rather than insisting on security as part of company policy.
Likewise staff at all levels should be educated about the risks, whether in their own use of technology or because they have insufficient awareness of what data needs to be protected, Prow says. Classification of data into sensitive and not so sensitive divisions should not be just a matter for government agencies. Every organisation should inculcate in its staff a sense of what needs protecting most.
Sometimes developers and management are aware there are holes but still consider the risk to be minimal, telling themselves “the worst an intruder will be able to do is read a few emails”. Some of those emails could include very sensitive data, Prow says.
Prow addressed last week’s meeting of the Wellington chapter of the Worldwide Institute of Software Architects (WWISA) on the question, taking as his title: “It only takes a pinprick to burst your enterprise security bubble”.
Many of the risks he enumerated are well known, such as the danger of not keeping software patches up to date. Indeed, the frequent repetition of this message could of itself engender a blasé “heard it before” attitude, he warns. Prow showed how unpatched systems are constantly at risk, showing the website of one cracker team dedicated to producing an exploit for every security bulletin issued by Microsoft — sometimes within days of the bulletin.
Strict guidelines for bringing technology into the organisation, or attaching it however remotely to the network, should be enforced, says Prow. He tells horror stories like that of a senior executive permitted to log on to the network from home using a PC, which was in turn attached to an unsecured home wireless LAN that could be tapped into from a car parked outside the house.
Nowadays, he reflects, a company has to be wary of employees backing up tunes from their iPods or, of course, playing a copy-protected Sony CD on their office desktop.
He showed the WWISA audience some of the tools in the cracker armoury, such as cross-site scripting (the insertion of malicious code through a malformed website link); injection of SQL code into a web server through an HTML form, to extract confidential information from the underlying database. Colleague Mark Keegan showed how the code for a commonly used shopping-cart application can be examined for holes and compromised to intrude into any site using it.
Contracted developers are often allowed too free a rein inside systems, Prow says. They are given administrator-level access or even allowed physically into a room full of servers.
Prow and Keegan recommend having a skilled “cracker” on staff who constantly tries to breach the organisation’s defences. However, Prow says, the person needs to be skilled enough not to create more trouble than he or she intends. With incomplete knowledge it is easy to bring down an entire network while trying to breach the defences of one machine.