Corporate applications have become preferred channels of attack for hackers and other cyber criminals, according to one Canadian expert.
The IT security skills gap between attackers, and the developers and defenders of these apps is intensifying this problem, said Brian O’Higgins, chief technology officer and founder of Third Brigade Inc.
Ottawa-based Third Brigade is a provider of host-based prevention intrusion systems.
“The current Achilles heel is application software,” he said. “It’s a low-hanging fruit.”
While 75 per cent of attacks happen at the application layer, O’Higgins noted that IT security experts focus on managing corporate networks, but rarely touch corporate applications, which may often be Web-based.
In addition, the advent of new scripting languages and the world of Web 2.0 and user-generated content facilitate application creation, making it easy for non-programmers to become increasingly involved in software development, he said.
Compounding the issue, are market pressures to push software apps into service.
And customization of off-the-shelf software, such as ERP systems, by non-security-aware IT staff, creates yet another gaping security hole, the Third Brigade executive said.
While corporate staff – the defenders – may not be full-fledged programmers, the attackers certainly are, according to O’Higgins, and easily exploit this skills divide.
Stefan Saroiu, professor at University of Toronto’s department of computer science, says IT staff with little programming training are probably writing vulnerable applications that companies rely on.
“In this sense there is a divide,” said Saroiu, “at one point, the most popular programming language was visual basic which suggests the vast majority of programmers [have] little formal education in programming.”
However, at the end of the day, he said, companies recognize the increased need for a secure IT infrastructure.
He believes there is benefit in making IT staff more security aware. Another approach might be to bring in experts whose job it is to secure applications, he said.
O’Higgins suggested corporations start by anticipating the future and preparing for the unknown – with one caveat. Security, he emphasized, doesn’t mean perfection.
“The definition of security is you have to be a little bit better than the effort someone is willing to put to attack you.”
Besides writing better and more secure applications, awareness of corporate system vulnerabilities is a good place to start, for if you can’t eliminate them, organizations should at least be aware of them, said O’Higgins.
Once vulnerabilities are identified, he said, compensating controls should be put in place.
O’Higgins suggests IT staff should seek security knowledge from various sources including industry conferences, such as SecTor 2007 – a Canadian event launching this November in Toronto.
SecTor 2007 will focus solely on security issues from a local perspective.
Steve Ibaraki, president elect for Canadian Information Processing Society (CIPS), agrees interacting within communities – via conferences, interest groups and newsletters – is a great way to meet like-minded professionals and learn about security threats, develop security skills, and pick up best practices.
He said CIPS often advises IT managers on how to augment their security knowledge so as to benefit their organization.
It often entails knowing the organization’s assets, assessing the corresponding threats, and taking ownership of different security areas, he said.
Setting data security and privacy policies and communicating those to the entire organization is crucial, Ibaraki said. Training on the policies and regular reassessment is also a must.
According to Higgins, the skills divide partly takes root in academia where security training is lacking. “Right now, you can do a PhD in computer science without taking a single security computer course. That’s got to change.”
But Ibaraki, a former academic, thinks there is more attention being devoted to this area. Academia, he said, considers industry needs when adapting curriculums.
“I’d recommend that if industry itself is finding there needs to be more focus on security, then they need to make sure their voice is heard [through academic advisory boards].”
According to Saroiu, there is an increasing awareness in academia of the need to teach students better security skills. “Traditionally, we have taught students to build better programs, faster, simpler, more elegant, with fewer bugs – but we’re not thinking about how to build secure programs. But I think this is changing.”
This fall, in fact, the university will begin offering a specialist undergrad degree in computer security.
The skills gap exists universally across all sectors and sizes of organizations, said O’Higgins, and although the divide may be greater among small to mid-sized businesses, these firms aren’t the usual targets of attackers.
Despite this, the Canadian government and financial institutions demonstrate the best security practices, he says, and they’re good with sharing that wealth of knowledge.
The healthcare sector, on the other hand, has a “backward use of IT”, at the same time that they’re getting increasingly ambitious with new technologies, which can potentially lead to trouble.