Architecting Cyber Security
Author - Vijay Kumar, Founder of DigitalFort
Corona Spiking Cyber Attacks?
After having decimated humans and animals internationally, the virulent corona has made inroads across the firewalls, the intrusion detection/prevention systems and the de-militarised zones(DMZ). Don’t get bogged down by these jargons, but the fact is hackers have been super active during the ongoing flu season. Cyber attacks have surprisingly spiked. Just recently, World Health Organization (WHO) was attacked (Source: Forbes) and such trends have increasingly been lately seen across many countries. In Italy alone, cyber attacks have increased by 200% during Corona regime.
As per CSO Business Report,
- There is a hacker attack every 39 seconds.
- In 2018, hackers stole 0.5B personal records and over 75% of the healthcare industry was infected with malware in 2018-19.
- Most companies take nearly 6 months to detect a data breach.
- 95% of cybersecurity breaches are due to human error.
- Cybercrime damage costs would hit $6 trillion annually by 2021.
Security attacks dent not only an enterprise image but also it’s competitive positioning. As a result, enterprise security businesses are evolving like never before. Today there are more than 500 companies alone in cybersecurity space; there was hardly a handful a decade ago (Source).
No doubt, these firms help us become secure. However, implementing & continuously upgrading such solutions come at a cost. For an SME (Small & Medium Enterprise), this means an increase in the cost of operations and a dent in profitability. So, what should these firms do if they want to enhance security quotient in their application/product without having to spend too much on such solutions? The answer is obvious: build security in their offerings. But how? Let us delve onto one such idea – something not so commonly talked about.
Architecting Security: A Perspective on Software Dependencies
A software application relies on dependencies. A dependency arises at different times: it could arise either during system startup, application startup or during application execution/run time. Dependencies could be with libraries, third parties, registry keys (windows), configuration files (Unix), some expected inputs formats (from I/O operations or from user interfaces), required memory size, disk space usage or network availability.
Just imagine the scenario when one of these dependencies starts giving up – would your application still be reliable? Would it continue to behave the same way it is meant to be? And most importantly, how would you ensure that all dependencies that your application relies upon remain available, intact, robust & most importantly – “secure”?
At times & because of constraints (time, resource, cost, experience, etc.), these potential outcomes may not be considered during application design, leading to dreaded un-handled exceptions. Such dependency failures could take many forms: from application crashes to sensitive data (e.g. passwords) being dumped on to screen or on to some file. In the pursuit to identify such design flaws, attackers/hackers target such vulnerabilities & the exact time these dependencies get called. Once their research is done, they plan & execute such attacks.
So, what should we do to circumvent such malicious intent from these hackers
- Identify all your application dependencies. The more legacy the application, the more likely the vulnerability.
- Take a closer look at the time of usage of such dependencies.
- Now try to block usage of such dependencies (e.g. dll, api) as & when they get called.
- Now see how your application behaves in such deprived conditions.
- Most of the time, you would notice that application crashes or sensitive data (e.g. passwords) get dumped on to screen or onto some temporary file.
Let this be food for thought as you architect your next application. At the same time, could this be a lever for your Competitive Advantage? Absolutely, yes. Show how your competitor’s application crashes and how yours doesn’t? This could be a good enough reason to win the First Movers Advantage as you design your next software application.