Skip the navigation

Software: The eternal battlefield in the unending cyberwars

Internet attacks take many forms, but most of them exploit persistent weaknesses in software.

By Gary Anthes
April 27, 2009 12:00 PM ET

Computerworld - "We are at risk. Computers are vulnerable to the effects of poor design, insufficient quality control, accident and, perhaps more alarmingly, to deliberate attack." -- Computers at Risk, Computer Science and Telecommunications Board, National Research Council, 1991.

Now, 18 years later, we are still at risk. Our computers are still vulnerable. They still suffer attacks enabled by poor design and insufficient quality control. We spend huge sums on IT security, yet U.S. companies and individuals are loosing tens of billions of dollars annually to cybercrime.

In January, Heartland Payment Systems Inc. reported what may be the largest data heist ever.

The company said that a "global cyberfraud operation" stole information from more than 100 million credit cardholders. Someone had planted a software "sniffer" in a Heartland server disk, where it apparently nosed around undetected for weeks.

These mega-breaches make big news and cause their victims big pain. But they are just the tip of a huge cybercrime iceberg. Last September, Gartner Inc. published a chilling case study about The Procter & Gamble Co. , a business known for its sophistication in IT and one with a robust deployment of firewall, intrusion detection and antivirus software tools.

P&G conducted a six-month worldwide audit of its PCs to see if any were infected by hidden software robots, or bots, which can connect into botnets secretly controlled by external parties. Using special sensor software, P&G discovered that some 3,000 of its 80,000 PCs were infected with botnet clients. These bots were attempting to communicate with a dozen remote-control sites, with about 20% of those attempts getting through P&G security measures.

Related

What does good security look like?

The Depository Trust & Clearing Corp., which settled $1.88 quadrillion in securities transactions last year, takes information security pretty seriously. Read how they do it in "Portrait of a security-savvy user"

But that's not all. P&G scrubbed the offending bots by re-imaging the PCs, a laborious process of removing and reinstalling all the software including the operating system. According to Gartner, however, many PCs became reinfected immediately when backed-up user data that contained hidden executables was restored to the re-imaged machines.

In the past 18 years there have been amazing advancements in every facet of IT -- in networks, processors, memories, disks, languages, applications, development methods and security tools. Yet technology clearly has not turned the tide of war with cyber criminals.

"Our opponents in cybersecurity are winning, and they will continue to win," says Jim Routh, chief information security officer at The Depository Trust & Clearing Corp. "This is not a war we will ever see an end to."

William Scherlis
William Scherlis

William Scherlis, a professor of computer science at Carnegie Mellon University and a specialist in software security and reliability, says that attacks today are more sophisticated, more stealthy and carried out much faster than ever before. He points to three trends in IT that are making the problem worse.

"They are obvious, but they have crept up on us, and the world is now radically different," he says.

The first is a sea change away from functional system silos to interconnected, enterprise and cross-enterprise systems. A failure at one spot can influence or cascade to places far removed in time, geography and function.



Our Commenting Policies