When was the last time when you felt extremely certain of the company’s cybersecurity? In a world where giants like Anthem, Sony, Alibaba, and Target are getting hacked at the whims of organized crime, is there truly a definite answer to all your security problems?
Seasoned security experts say that two kinds of organizations fall prey to hacking, one which does not take its security seriously, second which believe that no one is going to hack them ever. Behind both these types, there are certain false assumptions that we are going to discuss here. Take a look at some of the top misconceptions that lead to failed information security.
1. My eyes are closed, no one can see me!
Okay. You are playing the game of cat and mouse. The mouse closes his eyes, thinks no one can see him, therefore he is safe.
And then pounces the cat!
We live in a world that is interconnected and any business online is global. If you are online, others can see you. Miscreants can attack your website, steal you’re and your customer’s data and cause you financial as well as brand loss. What can protect you? A strong application security posture.
You might also think that if you are attacked, you would know. After all, there will be some symptoms. Unfortunately, that is not the case anymore. There was a time when hacker’s attacks would be an announcement of a kind, proclaiming the feat that they would have accomplished by hacking your website- computers would crash, files would go missing, but their style has changed. Look at the latest kid in town, Regin- It has been on work since more than 6 years (possibly 8 years), lurking in your systems, stealing passwords and God knows what else, even taking screenshots of your system. And it has been discovered only now.
You might not even realize, and hackers on back-end could be controlling your infected system by a remote command. The only way by which you can be sure of whether you are infected or not is by a thorough application scan.
2. We are compliant. We don’t need application security
This is similar to saying, we live in a gated community, and we don’t need to keep our doors and windows locked and secure.
Compliance requirements are designed such that the businesses are enforced to follow some basic security guidelines. They are trying to make sure that businesses at least take some simple security measures to keep their customer’s data safe and be accountable for their business. But they are not saying in any way that if you follow these guidelines, which do help you in becoming a regulatory compliant company, you are following the best security measures and are secure from hackers.
Hackers are constantly looking for weak points in your apps. They do not care if you are PCI Complaint or follow all legislative requirements in accordance with your business. If you have a vulnerability, they will find it, sooner than later, and they will exploit it.
3. We have NEVER been attacked. I’m serious, never; so we don’t need application security.
Sorry, I was laughing too hard and pulling my hair simultaneously, hence it took me some time to respond.
How does ‘never’ being attacked qualify for never being attacked even in the future? You have never had a car accident, so will you forfeit your car insurance (Please tell me you have one!). So this is your business we are talking about, your sweat and blood, bread and butter for you and your employees. Your website, your apps, they are your companies’ external face. They represent your business and you, contain precious data from your customers. Can you make up for the loss if your website is defaced or data is stolen?
Also, thinking that you have never had a security breach does not translate into you having good security. It can also mean that you have been breached and you just didn’t know (Remember Regin, it needs to be scanned for to be detected).> Another huge problem can be that since you are not performing regular app security checks, you are unaware of certain vulnerabilities that might be existing in your system. If these vulnerabilities are sniffed by the hackers, they can be used to enter your system, which, if you are unfortunate, will be used to steal your data and if you are extremely unfortunate, will be used to sit inside your apps and quietly observe and steal data over a long period of time. Scary!
4. Confusion on who actually owns the responsibility of securing the applications.
John: Mary’s team is handling it.
Mary: David’s team is handling it.
David: Sorry, what are we talking about?
Who is actually responsible for securing your apps? The team that developed the software, IT or the in-house security team?
This is not a rare phenomenon. CISOs, CTOs have locked horns over this issue many times, and this is expected to continue. But in the event of a breach, the blame shifting is rampant, and even if you finally decide on who was at fault, the damage has been done. Firing someone (Target Breach) does not cover the financial loss, and even if it does (through insurance), the huge brand loss and breach of customer trust is not something that you can make up for, even in few years.
It is not necessary that the R&D/Tech team while writing the software, gave a lot of thought to the security of the code. Similarly, the Security team might be excellent in their job but may not be familiar with the risks of having a code filled with vulnerabilities (Heartbleed- the bug that shook the internet world was the result of a coder’s mistake.) This results in a divide between the two teams. The answer to this problem, go with experts. Not only are they good at what they do, but being in this line of work and focus day in and out on the new bugs found, malware creeping in and breaches happening, security is in their blood and they can turn out to be the best judge for the kind of security your business requires.
5. One Magic Bullet is All it Takes
Nope, security doesn’t work that way. Actually, nothing does. Medicines for your stomach, don’t work for the heart, meds for heart don’t work for lungs, and meds for lungs don’t work for kidneys…
Total application security is the need of the hour.
Enterprises who are actually concerned about their security should go for an in-depth analysis of their security requirements. You can talk to some good security researchers. They will analyze your business and tell you what all needs to be secured and how.
You have a website, it needs to be scanned daily for any vulnerabilities and malware. Once found, these need to be fixed.
Your store and exchange customer financial data on your websites, you need to be PCI Compliant.
Your traffic should always be encrypted, therefore the need for an SSL certificate.
Need proactive security? Perform a Penetration Testing and install a web application firewall. Penetration testing will help in finding all the major application vulnerabilities which could have been used by Hackers for forceful entry. Application firewall will filter out the bad traffic and pass good traffic to your website. It will also help you in fixing vulnerabilities virtually thereby providing you the buffer time to fix it in the code itself.
Source Code scanning. Helps to nip the problem in the bud, but is time-consuming and can take a lot of time to be fixed.
6. Pennywise and Pound-foolish
Signing up with a security vendor and deploying security solutions is too expensive, my business can’t afford it. Can your business afford a cyber attack?
The average cost of a data breach for an organization is $5.4 million. Now try saying, you are saving money.
Many security solutions are available with extremely affordable Total Cost of Ownership. This does not mean that you are going ahead with a solution because it is priced less- the lesser price at times can mean lesser quality as well. On the contrary, it means that you are signing up with vendors who have an impressive security history and security experts, and can help you with total application security by integrating different solutions to work with each other seamlessly, to provide you with best suitable and quality security solutions at an affordable price.
7. We trust the coders!
Very noble indeed.
Heartbleed: The computer bug that shook the world of the internet was the result of a coder’s mistake. So was the Internet explorer’s zero-day vulnerability. The massive effect of these bugs, especially Heartbleed was all to see…The truth is, coders are divine beings who are great at what they do but at times are not able to apprehend the aftereffects of a code which despite being beautiful ( J ) might be ridden with vulnerabilities. Security is an afterthought for them, not a necessary requirement. Things are improving, but they will not change overnight. Also, there are times when despite being cautious about making secure codes, vulnerabilities are left. Coders are humans too, you know!
They make mistakes, therefore re-emphasizing on the need for scanning codes. You can also make ‘secure codes’ part of the development contract. This will save you a lot of heartaches later.
8. Our website is SSL protected. That should be enough, right?
Secure Socket Layer or SSL, represented by a miniscule lock symbol beside the URL, does not represent that a website is secure. Its function is to provide communication security over the internet. It basically means that the information being transmitted over that website is encrypted and therefore information is not available for miscreants eavesdropping, in plain text. It also signifies that a website is authentic and not fake. But SSL it cannot protect the data that is stored on the website.
Do not misunderstand me please, SSL is essential for your website security, but it’s only part of a puzzle. It does not make the puzzle complete, and it sure as hell does not indicate the absence of malware. Malware can still be sitting on your website, pretending to be the kind of screen in “Mission Impossible- Ghost Protocol” where everything looks hunky dory on the front, but a nice theft of all sensitive data is going on behind it.
“Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench.” Gene Spafford Ph.D., Professor of Computer Sciences, Purdue University
9. “We conduct annual security assessments on our website, so it’s secure.”
I exercise once a year, I am fit as a fiddle
Complex – is the nature of most applications today
Constant – are the rapid and ongoing application changes
Control – over frequent change is tough for security teams
Misaligned – are budgets between application security and perimeter security
Targeted, Sophisticated, Frequent and Profitable are the hostile online threats today
These five lines explain to you, in the simplest possible way, why our websites need to be assessed as frequently as possible continuously.
Your websites and other applications change rapidly, due to the swift change in customer requirements, technology, and many other factors. The changes are made hurriedly with little thought about security.
Do you want an example? You add a pop-up for your customers to interact with your customer care, but forget to test it for vulnerabilities. Do you see what I am getting at?
Therefore, continuous application defense is a necessity.
10. “The vulnerability scanner did not report any website security issues, we are secure.”
I hate bursting your bubble, I really do, but I can’t even let hackers make you their prey!
Let me put it this way, security is an ongoing process which needs an in-depth outlook. Vulnerability scanners are great at crawling the entire website much faster than a human, they can cover a wide range of ‘known’ vulnerabilities based on the existing database but are valid only as much as the latest update.
You need vulnerability scanners. They are great at detecting poor codes and help in proactively finding out an issue with the applications, and prompts you to resolve them before they are found by hackers, but this requires action on your part. Our research has shown that 8 in 10 critical vulnerabilities remained unpatched for more than 30 days!
Considering you find known vulnerabilities, fix them timely, and that’s one checkbox ticked. But what about the zero-day vulnerabilities? A managed web application firewall protects you against them, where security researchers provide you with round the clock testing, expert analysis, and alerts. Based on the results, they can configure the rules to protect you from attackers trying to take advantage of the zero-day vulnerability.
Irrespective of whether your website is mature or new or you address B2B or B2C customers, there are some critical security concerns that need to be addressed on a regular basis. Taking help of professionals will only help you in facing the hackers with your ammunition ready and emerging victorious.
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. Before this, as the CTO @ Indusface, Venky created the product/service offering and technology team from scratch and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in the security industry and had held various mgmt/leadership roles in Product Development, Professional Services, and Sales @Entrust.