There is a term to describe a testing technique used by programmers, whether they are hackers or the good guys, for hitting software where it hurts to discover bugs and holes that represent vectors for attack. It is called Fuzzing.
It is effective and guarantee’s results. Anyone who questions that guarantee simply does not have the patience or the tenacity to sift through the false positives in Fuzzing output logs. It is a mind numbing process akin to panning for Gold, you will get a lot of small bugs that do not amount to much, but with patience a nugget will turn up. The nuggets come in the form of a bug in a class that allows the malformed string used in the Fuzzing attack to compromise memory space. This in simple terms gives the hacker a means of inserting their own commands into a process which can circumvent software security and establish a bridgehead on the underlying system…. game over.
With every 1,000 lines of software code containing numerous bugs the attack surface is growing exponentially; quoting from the book ‘Code Complete: A Practical Handbook of Software Construction, Second Edition 2nd Edition’:
- Industry Average: “about 15 – 50 errors per 1,000 lines of delivered code.”
- Microsoft Applications: “about 10 – 20 defects per 1,000 lines of code during in-house testing, and 0.5 defect per KLOC (KLOC = 1,000 lines of code) in released product (Moore 1992).”
- Cleanroom development:“A Harlan Mills pioneered technique that has been able to achieve rates as low as 3 defects per 1,000 lines of code during in-house testing and 0.1 defect per 1,000 lines of code in released product (Cobb and Mills 1990). A few projects – for example, the space-shuttle software achieved a level of 0 defects in 500,000 lines of code using a system of format development methods, peer reviews, and statistical testing.”
Worrying to say the least when we confront the poor job we are doing in adjusting to the new threat realities with current application hardening and shielding. Let alone the legions of legacy applications and systems ill-suited to the modern threat landscape that enterprises, government and defence are dependent on.
So when we apply this to the new world evolving out of the blurring of our physical and digital lives we should sit up and pay close attention to the nightmare we are sleep walking into.
As I have written before ‘Internet of Things’ (IoT), Convenience or Calamity?’, the IoT (Internet of Things) is going to take the familiar private and work density of computing dependency we have become accustom, to extraordinary new levels of interdependence.
We are still struggling to come to terms with security challenges in the new business designs being implemented to harness the latest generation of Cloud Computing and BYOD (Bring Your Own device). New business models driven by the cost savings off the back of our double dip recession. Models that are not fully understood by business or internal IT teams who are stubbing them onto old world process and practices. The end result is further security exposure magnified by the absence of analytics and specialist roles necessary to execute the data centric audit and protection fundamental to protecting these new models.
The very lack of data governance and fact based risk management remains a major Achilles heal in addressing IT security. Compounded by the poorly adaptive security architectures of the current generations of ‘defence in depth’ deployment models.
- Data Governance – Putting order into the world of unstructured data types and use cases.
- Risk management – To combat advanced persistent and targeted attacks.
- Adaptive Security Architectures – Driven by continuous monitoring and analytical feedback for effective context awareness and control in the form of ‘Security Information and Event Management’ (SIEM) https://en.wikipedia.org/wiki/Security_information_and_event_management and adaptive Identity and Access Management.
Over simplified, but it is necessary to start with the basics as many organisations simply do not get it. We are moving from a control centric security world to a people centric execution model better suited to the mobile world we all really live in, despite the attempts at constraint imposed by organisations.
I cannot impress the urgency enough for organisations who think they have time. The old world luxury of time to adapt at the traditional tectonic pace of cultural change is a death sentence. It is obvious to anyone paying attention that IoT is already starting to re-write the industrial automation and physical security playbook, dialling it up yet again.
A good place to start is by answering the following questions:
- How well is your current security strategy and risk practice keeping pace with shifting threats?
- How realistic and qualified are the risks driving your security activities?
- What is the honest state of awareness amongst your executive stakeholders to the challenges they face based on qualified risk factors?
- How well are your risk factors aligned with your business KPI’s?
- Do you have an up to date Cyber Security reporting process suitable for executive stakeholder consumption and understanding?
- At any point in time are all your IT systems maintained up to date with the latest vendor security patches and configured to meet best practice security standards?
Do not feel disheartened, few organisations, even the biggest enterprises will find that they have significant work to do across these foundation areas of insight. But DO feel concerned, and an urgency to address the shortfalls as these are some of the first steps in evolving your current exposure.
Critically DO NOT try and do this alone, not only is that a lonely place to be it is dangerous not having some trusted allies watching your back. Despite your wealth of experience in your own systems and understanding of your business you can magnify the quality and effectiveness of your response exponentially with the help of specialists in this field.
No business or individual is immune, there is no digital wonder inoculation, be aware, be ready be prepared.