And while the LulzSec group, which is responsible for the Arizona DPS and Sony security breaches among others, has chosen to disband because it is “getting bored of us,” most hacking targets are not so fortunate. Hackers generally don’t get bored that easily. More often than not the thrill-seeking compels them to go for bigger and better targets…and it seems they’ve been up to the task.
In fact, in the wake of the CitiGroup data breach, Time Magazine’s Martha C. White openly questioned in her June 6 headline, “Are Hackers Getting Smarter?”
Based on the events of this year alone, Ms. White, the resounding response would have to be, “YES!!!”
The breach at Citigroup’s North American cards division saw hackers finagle access to names and information of more than 200,000 customers. White points out that, while it pales in comparison to the 16 million accounts that were illegally accessed by hackers in 2010, a direct hack on a bank is as significant as it is rare.
She goes on to note, however, that a modern-day Bonnie and Clyde are more likely to wield keyboards than guns, so there needs to be greater attention to securing customer data.
OK, locks are nice, but they have to lock something that is, first and foremost, structurally sound.
Historically, security systems have been fine if you want to know when someone or something has infiltrated your perimeter. However, every defensive force since the beginning of time has known that if you want to keep the infiltration from happening, you first need to establish a solid perimeter.
Recently MITRE and the SANS Institute released a report on the 25 Most Dangerous Programming Flaws and, at the top of the list, was the one that has been behind many of the highest profile hacks in recent memory – SQL Injection. And because so much of today’s software is being built upon pre-existing code, many of these instances of flaws have lied dormant for generations of application software only to be exploited as hackers become more aware of their existence.
While businesses can ill afford to take the time to rewrite new code every time they need to create a new application, let alone when they customize one, there needs to be some due diligence applied to ensure that the code upon which new software is build meets with the latest standards and norms of the industry.
If organizations want to keep hackers out of their data, they need to get smarter and build an impenetrable house for that data. The only way to do that is to perform a complete assessment of the structural quality and overall health of not only newly written code, but also any pre-existing code an application is built upon to ensure it meets up with current standards and hacker intelligence.
Locating and addressing the vulnerabilities will keep organizations just a bit smarter than hackers and prevent them from huffing, puffing and blowing the data house down.
Erik Oltmans, an Associate Partner from EY, Netherlands, spoke at the Software Intelligence Forum on how the consulting behemoth uses Software Intelligence in its Transaction Advisory services.
Erik describes the changing landscape of M & A. Besides the financial and commercial aspects, PE firms now equally value technical assessments, especially for targets with significant software assets. He goes on to detail how CAST Highlight makes these assessments possible with limited access to the targetâ€™s systems, customized quality metrics, and liability implications of open source components - all three that are critical for an M&A due diligence.