IDG Contributor Network: Basic training: Cybersecurity lessons inspired by an opportunistic developer
Today, not only do we see a significant increase in the number of cyber attacks, but by design the incidents are also more fearless and larger in their scale and impact to the business. According to Cisco, the frequency of distributed denial of service (DDoS) attacks has increased more than 2.5 times since 2013, with the current average DDoS attack large enough to take many organizations completely offline.
Most businesses have cybersecurity initiatives, but how can we be sure the policies and people are keeping pace with the threats that are becoming more dynamic as technology progresses? TechRepublic reported that an estimated 90 million cyber attacks occurred in 2016, which means 400 attacks every minute. As data travels through a virtual ecosystem, security must extend beyond the device itself.
Near real-time requirements
The new “on-demand, near real-time” requirement is at the forefront of business operations, including personal entertainment and beyond. Data users expect to have a seamless experience, no matter how large their data requirements.
The number of connected IoT devices—from refrigerators to health devices—is projected to grow at an annual compound rate of 23.1 percent from 2014 to 2020, reaching 50.1 billion things in 2020, according to Forbes. Whether or not the number of devices connected to the internet reaches this lofty number in the next few years, it is clear that the growth in sensors and gadgets will increase. The question is: “If devices continue to advance at this rate, how will all of this data stay protected, private and secure?”
There are many ways to protect from cyber threats; investing the time and resources into doing so is of critical importance. Take a closer look at your organization—from policy development to selecting and implementing the right proactive tools—always thinking about how each person contributes to the overall security of your business. In addition to developing new practices for security, companies should also implement the core foundational principles and best practices along the way.
Cybersecurity: Back to basics
During my years of consulting for some of the top Fortune 100+ companies, I came across many security situations. One particular occurrence was at a global company, which I will refer to as Company X. While Company X had a customer base in the tens of millions, it’s highly possible that this scenario could happen just as easily today with other companies. It’s an example of how the basics can help keep us secure at the edge:
Company X—with a customer base in the tens-of-millions—had developed a customer-facing application that was built to give their customers the ability to manage their own accounts. The company wrote its applications with an in-house development team. Typically when a developer is programming for a large platform like this, he/she will iterate many times through their code and will need lots of test data for various “real-world” customer scenarios (this ensures the application is working).
To minimize the amount of time retrieving test customer data, an opportunistic developer wrote a helper application that bypassed all security and allowed anyone to log in and retrieve customer data. He deployed the code to the development environment where he used it to get data for systems testing.
A few weeks later a customer support representative opened a ticket, and in the client’s help ticket he added the link to the private developer’s application as a source for where he went to verify customer information. Many of the client-service representatives preferred to use this tool because it was so much simpler to use (no password)—but this was a security violation. Some dozens and dozens of internal staff had used this tool. In this situation, the breach was resolved quickly, but it could have exposed millions of customers.
5 cybersecurity best practices
How could Company X have caught the problem sooner using basic cybersecurity practices?
1. Education. It should go without saying that educating people of the ramifications of poor choices and putting in place adverse consequences for those poor choices can help drive better behavior. This is why standards such as ISO 27001 and PCI are in place and so important—they help provide controls to prevent situations like this.
2. Network isolation. A person in the customer support group in another building should never be able to access the development environment located across campus. A computer that is least likely to be hacked is one that is unplugged from the network and powered off. We need our systems powered on, so a good solution is to isolate them on the network. An network-isolated system would never have been reachable from the customer support network.
3. Social behavior. Why didn’t one of the many others who used this tool say, “You know, this doesn’t seem right. Isn’t this a security breach?” Just because someone is doing something, doesn’t mean it’s the right thing to do. This developer wasn’t the only one who created helper applications—there was a culture pushing for automation like this tool. In this case, time to market, long hours and the need to build faster were all contributors.
4. Helper tools code review. The teams at Company X did application code reviews, but did they ever discuss or examine the tools? There are code scanners that check code base for malicious code. But did the developer test production code only? Or would they have known to test the tools as well? Including helper tools in the code review process can identify this.
5. Separation of powers. Being first can gain you a competitive advantage. But when being first means you use your developers to push code, this puts extra pressure on them. Many are so used to working in a safe environment that they might not always think about security first. They might think, “I need to fix this issue and will develop the better fix tomorrow.” Building in an additional layer and having someone in DevOps push the code can reduce the risks.
Now that we have “edge” and “IoT” in our vernacular, it may seem that we are pushing the envelope. But at the core, aren’t we still just developing applications that use networks to communicate? The applications might seem more advanced and have much more capability, but, still, the basics work.
This article is published as part of the IDG Contributor Network. Want to Join?