Today the cyber threats are a reality as the cyber world itself. The security threats come from different sources and in the unpredictable interval. This article helps to the readers to thwart the various cyber security threats in the cyber world.
Of late, cyber-criminal activities across the globe have assumed such grave proportions that all enterprises - big and small, are exposed to security breaches and identity thefts of various kinds. Combating cyber attacks successfully is a serious business. It cannot be achieved with sporadic knee jerk reactions or frequent band aid patches. The strategy has to be long term with sound basics in place. India has been at the receiving end of these cyber attacks because there is no formulated national policy on how to take on these attacks and each day brings a new surprise of a new victim.
If one were to point out all the list of cyber-crimes and security incidents will go on and on and will fill volumes of pages. So let us dwell on the various levels of securing the cyber space.
The present security scenario comprises a mix of the following security rings:
Network level: It comprises firewalls appropriate for the perceived need.
Application level: An array of application security tools such as Fortify, Security Innovation etc.
Information level: How to protect precious data on your data servers.
Cyber Defense
Considering the fact that most of the recent cyber attacks have been successful shows that the first line of cyber defence, viz. firewalls and anti-virus tools are somewhat falling short of user expectations.
At the application level, unless we can keep down the vulnerabilities to zero, the code stands exposed to cyber attacks. The way to do it is to write applications software in such a way that it includes zero vulnerability. Vulnerability is a flaw in one's code which facilitates a cyber attacker to get into your code and take control.
Once he has taken control of your code, it is an easy matter for him to enter your data base and redirect all the confidential information to a server of his choice, one that is usually located in enemy territory. Our goal must be to make sure our developed code has zero vulnerability.
Secure Tools
There are well known tools available in the market that usher in a secure guidance environment towards development of secure code.
TeamMentor is one such tool. Ideally, all software development centers, unless they have their own home grown tools, should be using a tool that effectively prevents developers inadvertently including any vulnerabilities with their code.
Most organisations are in the midst of developing new code and adding to their backlog of already developed code, which was, perhaps, developed at a time, when security concerns were not paramount. What organisations must do in such situations is to take the backlog of such code, have them scanned with a well known scanner, like CheckMarx or Fortify and replace the identified vulnerabilities with secure equivalents.
Since the backlog of such code usually runs into millions of Lines Of Code (LOC), there is a tendency for software people to baulk at this responsibility and keep postponing this initiative, thus adding to their perils. However, things are fast changing.
Writing Secure Code
Some of the scanners in the market place have become quite smart. For instance, a brand new server based scanner license can direct the process to access specific code files from different computer nodes, scan them in a pre-determined sequence and redirect the results to the respective nodes or to another server.
Thus, if the network lines are really fast and stable, one can initiate a scan of program files in Delhi while sitting in Mumbai and present the results to the original client in Delhi or redirect the results to a remediation center in Bangalore, who can clean up the vulnerabilities and substitute them with 100 per cent secure code and send back the cleaned up code to Delhi, provided, of course, the network lines are clean, secure and fast.
Since the process is automatic, vast tracts of old unsecured code can now be converted into secure code quickly without any contribution of significant human labour.
Taking a long term view, all universities in India must start including a session or two on cyber security and on how to write secure code. The industry badly needs software engineers who can write secure code.
Despite being the leading software powerhouse in the world, India has very few, who have specialised in Secure Development Language (SDL). This flaw needs to be corrected from the coming academic year.
The same applies to all software development organizations. It is far better and cheaper in the long run to write secure code from day one rather than write code as usual and then worry about cleaning up the vulnerabilities later. Remember the popular saying: Prevention is better than cure.
Ethical Hacking is Necessary
It is also high time organizations had their own ethical hackers whose goal is to try and bust all tall security claims made by the software developer or tester. These ethical hackers do their best to attack the code just the way a street smart cyber hacker would do to make sure your software is impregnable. It can be thought of a QA Lab in a company.
Ethical hacking is not bad although the word hacking carries negative connotations. Ethical hacking is becoming increasingly necessary for our survival. There are professional courses available on ethical hacking.
A Brief Conclusion
With the constant cyber attacks, it is very crucial that security programmer’s code should be targeted at every malicious code trying to disrupt the computers and networks. In this article we have highlighted some of the unconventional means of securing cyber threats from various sources.
—By: R. Manoj. The author is an Assistant Editor at Fanatic Media, Bangalore. He is also an Independent Researcher, specializing in Digital Security Systems. He has an active interest in designing security algorithms for securing mission critical systems. He can reached at infosecurity@fanaticmedia.com |
