In the past few months, there have been quite some hacking reports hitting headlines, notably defacement of CIA web page, hacking of Sony PlayStation Network, and News of the World’s phone hacking, among the others, no wonder it is said that hacking is now a “business”, and in most cases carried out by organized hacker groups like LuzSec or Anonymous. With the disclosure of the widely reported hacking of uranium purification control systems using well designed and implemented “Stuxnet” malware, it is good evidence that information system hacking has now officially been confirmed to be a warfare weapon just like nuclear bomb or cruise missile.
With the globally connected Internet, hacking threats could potentially come from any corner of the earth and could strike any moment without being noticed, with hackers up 7×24 around the global, how could an enterprise defend against these almost invisible threats?
To address enterprise information security and prevent hacking and intrusion, there has been many discussions of layered defense setting up layered defense, including perimeter ACL, firewall, IDS, IPS, proxy, anti-virus and anti-malware. These are apparently all good and necessary measures to thwart hacking and intrusion, but it seems a myth that there are still many successful hacking reported, with potentially many still ongoing silently.
I think one reason that hacking being able to succeed is at least partially due to the failure of quality assurance of software engineering industry. Besides social engineering attacks, hackers typically take advantages of vulnerabilities of OS and applications or protocols. Those vulnerabilities typically come from inherent vulnerabilities of programming languages, architecture design, or application implementation by the programmers who do not have sufficient security skill or sufficient time to implement security measures. Even today, the priority of many vendors still is getting the product to the market quick to win the competition, and for many small startups, quicker to the market is vital to their survival. After all, the first ‘A’ for the security is “availability”, isn’t it?
To ensure enterprises having secure OS and applications to run in their environment, software industry (include in-house development) needs to adopt consistent security assurance before releasing the product. It should include using well tested security components like OWASP ESAPI, and adopting open common standards as that recommended by MITRE, such as CPE, CCE, among others. Running OS processes in separate memory space will prevent the propagation of malwares, as realized by Juniper JUNOS, PaloAlto PANOS, and Apple IOS.
Given that security is always an evolving process, enterprises needs to have good understanding of external threats and internal defense. External threats would include organized hacking groups and their operation and activities, and most importantly the potential tools and techniques they could leverage. While it is not possible to know or prevent all the external threats given the original design purpose of Internet, i.e. connecting the whole world, enterprise should be able to exam the attack surface for the possible attack vectors. Internet (ISP facing routers and DMZ), B2B entry points, VPN gateways, wireless access points are especially important. Properly designed routing architecture, router ACL, firewall rules, and application layer prevention will help prevent the external attacks. Application layer detection and prevention so far is the most difficult one due to the numerous attacking pattern and OS/app vulnerabilities, identifying attacks from tons of daily data is still a challenge. However if enterprise can have up-to-date systems inventory, centralized configuration control, effective vulnerability tracking and patching system, it will facilitate defending the external threats. Even better, if the information system vendors can adopt the open standards for the software development, security assurance, xml-based configuration, vulnerability assessment (OVAL), and automated patching, I’m sure it will significantly reduce the attack window from external threats.