SECURITY

Cyber-Security Worsens

R. Colin Johnson | Date: 01-23-12 | Comments

• 20
• PrintPDF
• Filed Under: Security




• Internet security breaches spiked in 2011, and despite the best efforts of programmers worldwide, the bad guys are winning. Mobile devices, especially minimally vetted Android apps, will likely mark even worse unauthorized intrusions in 2012.

• Cyber-security took a turn for the worse in 2011 and will probably be worse yet in 2012 as the flaws that enabled the breaches still exist in a wide swath of computer systems.

  Most of the 2011 security breaches that resulted in the theft of intellectual property (IP), or which exposed vast databases of personal information, were caused by the same (old) weaknesses that continue to exist in a wide variety of desktop and Web-based applications. Two groups were mainly responsible--hackers attempting to intimidate corporations and individuals they dislike (often from within those very companies), and foreign intelligence services collecting IP to boost their countries' international standing.

  

  Security performance of applications on initial submission as measured by the Veracode. The numbers are based on 9,910 application builds.

  For 2012, these groups will find the pickings are even easier as IT embraces mobile platforms that are not even attempting to provide the same level of security as the desktop versions of their software and systems. Compounding the problem is the fact that mobile platforms need even higher levels of security than desktop systems. Unfortunately, many companies are rushing headlong into the "bring-your-own-device" age without the security and proactive policies that would be necessary to merely maintain the same level of security as desktop systems.

  As a result, the same vulnerabilities that allowed a relatively few hackers and spy services to install backdoors (through which code can be inserted and remotely executed) will be easier to exploit as workers increase their use of mobile devices in 2012. The two most prevalent techniques--SQL injection (inserting code into Web forms designed to accept data) and cross-site scripting (inserting client-side scripts into Web pages)--remain the top vulnerabilities. Government sites, in particular, still have a wide variety of applications that are wide open to these attacks.

  In fact, Veracode claims in its semi-annual State of Software Security Report that the majority of new applications in 2011 still had known vulnerabilities in the first versions submitted to their testing service. By analyzing more than 9,910 application builds, across 40 different industry sectors in the last 18 months, Veracode found that only 16 percent had acceptable levels of security on initial submission. Of those that failed the first time round, about 80 percent were able to patch their code to eliminate the vulnerabilities within one week, demonstrating, according to Veracode, that with the right protocols, high levels of security are possible without lengthening the development cycle by much.

  However, the proactive protocols to prevent these coding errors are few-and-far-between, Veracode warns, especially among mobile app developers. Android application developers, in particular, need to take extra care in their coding to avoid opening backdoors into the otherwise secure systems to which they connect. Google, according to Veracode, does only minimal vetting of the safety of new applications before allowing users to download them from app stores, placing the burden on developers, many of which are not familiar with the necessary techniques to plug even the most obvious known vulnerabilities. For instance, Veracode estimates that 40 percent of current Android apps (compared to 17 percent of non-Android apps) contain hard-coded cryptographic keys in their code. What's worse is that it is trivial to decompile Android apps to find these hard-coded keys, which can then be made public for hackers worldwide to exploit with no way to patch them (since hard-coded keys cannot be easily changed on a device after it is sold).

IBM Resources

• Protecting against cyberthreats in the modernbusiness infrastructure
• Managing Threats in the Digital Age Whitepaper
• IBM solutions for cybersecurity: Solutions for mitigating threats in the government sector
• 2011 IBM X-Force Mid-Year Trend and Risk Report

Most Read

• Smarter Cameras Plumb Composition
• Top Five Cloud Trends for 2012
• New Tool Analyzes Data Without Bias
• Wireless Implant Meters Drug Doses
• Hadoop Takes a Giant Step Toward the Enterprise
• Universities Worldwide to Introduce Analytics Education
• Rent a Virtual PC in the Cloud
• Software Development Gets Agile
• Touch-Screen Sofas, Smart Car Seats and Other E-Textile Uses

Trending

• Video Analytics Boosts Business Intelligence
• Technology Transforming IT in 2012
• People's Oscars Gauge Public Sentiment
• Rolls-Royce, ASU Partnership to Combat Billions in Health Insurance Fraud
• Print/TV Ads Retread for Social Media
• How to Improve Crowd-Sourced Information
• App Tracks New Year's Resolutions Progress
• Giving Big Beats Giving More
• Image Search Tool Estimates Human Age From Photos

RELATED CONTENT

• BlackBerry BBX: Will It Be Enough to Save RIM?
• SMB BI Adoption Grows, Shifts to Cloud
• Software Provides IT Security Across Range of Mobile Devices
• Enterprise Mobility Management Soars
• Most Security Software Is Flawed from the Start
• Better Protection for Personal Data on Mobile Phones
• Get Ready for BI on the Fly

Videos

TWITTER FEED

• 21 minutes agoFresh post: Cloud physical security considerations http://t.co/EMmMaQyF (via @TAslan4) #cloud #security
  
• 34 minutes agoRT @ShakuS: Connect with #IBMMobile team at #MWC12 next week – @Bob_Sutor @dheap @toddplunk @jmacd @didelrosso @tselrahc @mikekuklenko
  
• about 1 hour ago@Husaria We'd be happy to work with you to make moving to the cloud as easy as possible. Please let us know how we can help.
  
• about 2 hours agoHeaded to #MWC12? Here's a new blog post to give you a peek of what to expect >> http://t.co/3voelZEF #IBMMWC
  
• about 2 hours agoBig Blue Goes Big on IT Security http://t.co/mOhWynP4 #IBM #security (by @ahess247)
  
• about 2 hours agoNice Cloud 101 post on workloads: I have a #cloud player, now I need movies! http://t.co/rLWnfsRZ (via @JuliaCalabuig) #thoughtsoncloud
  
• about 8 hours agoCloud adoption in Asia Pacific: Strong signs of progress, but not everywhere [Forrester] http://t.co/oBxlZrxJ #cloud #Asia
  
• about 19 hours agoThx for the RTs! @shameerc @IBM_SI_BPs @ibmsaas @tweetsaj @mulvaneyA @NancyMReaves @tdkarthik @rudnickm @Mak2064
  
• about 19 hours agoThx for the RTs! @callmechelsea @james_mathewson @bobboyce @yesicaibm @ivansteen @hbmibm @henrikuiper @mkarimawan @jtspears77 @neccloudbizz
  
• about 19 hours agoThx for the RTs! @kthuerk @_carlos_felipe @PVSWXchange @mikeatwired @emarcusnet @gregoryjgreben @sarahatWIS @icloudcompare @stevendickens3
  
< PrevNext >

JOIN US

Like us on Facebook Follow us on Twitter Get the Smarter Tech Newsletter Register to view the archived "Data Center Optimization Techniques: Stop Wasting Time & Money" eSeminar Register Now >

Connect with the The Future of IT Architecture blog