« Back to article | Print this article |
Combating cyber attacks successfully is serious business. It cannot be achieved with sporadic knee jerk reactions or frequent band aid patches. The strategy has to be long term with sound basics in place.
India has been at the receiving end of these cyber attacks because there is no formulated national policy on how to take on these attacks and each day brings a new surprise of a new victim.
The present security scenario comprises a mix of the following security rings:
Network level: It comprises firewalls appropriate for the perceived need.
Application level: An array of application security tools such as Fortify, Security Innovation etc.
Information level: How to protect precious data on your data servers
Click on NEXT to read more...
Considering the fact that most of the recent cyber attacks have been successful shows that the first line of cyber defence, viz. firewalls and anti-virus tools are somewhat falling short of user expectations.
At the application level, unless we can keep down the vulnerabilities to zero, the code stands exposed to cyber attacks. The way to do it is to write applications software in such a way that it includes zero vulnerability. Vulnerability is a flaw in one's code which facilitates a cyber attacker to get into your code and take control.
Once he has taken control of your code, it is an easy matter for him to enter your data base and redirect all the confidential information to a server of his choice, one that is usually located in enemy territory. Our goal must be to make sure our developed code has zero vulnerability.
There are well known tools available in the market that usher in a secure guidance environment towards development of 100 per cent secure code.
TeamMentor is one such tool. Ideally, all software development centers, unless they have their own home grown tools, should be using a tool that effectively prevents developers inadvertently including any vulnerabilities with their code.
Most organisations are in the midst of developing new code and adding to their backlog of already developed code, which was, perhaps, developed at a time, when security concerns were not paramount.
What organisations must do in such situations is to take the backlog of such code, have them scanned with a well known scanner, like CheckMarx or Fortify and replace the identified vulnerabilities with 100 per cent secure equivalents.
Since the backlog of such code usually runs into millions of LOC, there is a tendency for software people to baulk at this responsibility and keep postponing this initiative, thus adding to their perils. However, things are fast changing.
Some of the scanners in the market place have become quite smart. For instance, a brand new server based scanner licence can direct the process to access specific code files from different computer nodes, scan them in a pre-determined sequence and redirect the results to the respective nodes or to another server.
Thus, if the network lines are really fast and stable, one can initiate a scan of program files in Delhi while sitting in Mumbai and present the results to the original client in Delhi or redirect the results to a remediation center in Bangalore, who can clean up the vulnerabilities and substitute them with 100 per cent secure code and send back the cleaned up code to Delhi, provided, of course, the network lines are clean, secure and fast.
Since the process is automatic, vast tracts of old unsecured code can now be converted into secure code quickly without any contribution of significant human labour.
Taking a long term view, all universities in India must start including a session or two on cyber security and on how to write secure code. The industry badly needs software engineers who can write secure code.
Despite being the leading software powerhouse in the world, India has very few, who have specialised in Secure Development Language (SDL). This flaw needs to be corrected from the coming academic year.
The same applies to all software development organizations. It is far better and cheaper in the long run to write secure code from day one rather than write code as usual and then worry about cleaning up the vulnerabilities later. Remember dear Grandma's prescription: Prevention is better than cure.
It is also high time organizations had their own ethical hackers whose goal is to try and bust all tall security claims made by the software developer or tester.
These ethical hackers do their best to attack the code just the way a street smart cyber hacker would do to make sure your software is impregnable. It can be thought of a QA Lab in a company.
Ethical hacking is not bad although the word hacking carries negative connotations. Ethical hacking is becoming increasingly necessary for our survival. There are professional courses available on ethical hacking.
Encrypt your data transfers
Encryption and decryption of data was earlier the holy preserve of defence labs because of its high cost. These are now available at almost negligible costs and more and more organizations, including banks, can now look at using these proven techniques.
Make full use of the on line CBT courses
There are several highly useful security related training programs available on line as CBTs, such as TeamProfessor, to enhance one's understanding of security issues and address the security threats more effectively. Do make full use of them.
The author, SS Kumar, is Chairman & MD of ASTRAL Systems (India).