IT Security: Watch Out for Insecure Software

An extended strike of cyber-attacks in 2003 that allegedly originated in China succeeded in penetrating several U.S. government and contractor networks, the breadth of which took many security professionals by surprise. Mainstream-media outlets raised the cyber-attacks' news profile, using the moniker "Titan Rain" assigned by federal investigators.

Many in the federal government, and others in the security industry, were convinced the attacks were the work of Chinese government cyber-espionage experts because of the attackers' apparent origins, the targets themselves and the potential intents of the attacks. The attackers systematically probed U.S. networks for vulnerabilities and exploited weaknesses to expose and capture sensitive government information -- an accusation Beijing flatly denies. The federal government quickly classified its investigation and pursued the hackers in secrecy.

While the Titan Rain attacks aren't unique, they serve to illustrate that the profile of today's hackers has matured. The days when attackers were categorized as amateurs content with defacing Web sites are over. Cyber-espionage specifically targets sensitive military and business information at agencies, including the U.S. Department of Defense and NASA, as well as sophisticated criminal attacks on state and local government databases. Foreign governments have highlighted a similar concern about the new depth and frequency of attacks they experience from non-native sources. Regardless of the source or motivation behind these attacks, one thing is clear -- new and innovative threats are raising concerns about the safety of our nation's most sensitive data.

Beyond threats to mission and operational strategy, defense-system schematics, and other national-security data, there is tremendous value in the sale of sensitive personal information. While some hackers target classified government data, others value personally identifiable information, such as Social Security numbers, credit card numbers and bank account details. Attackers routinely search for vulnerabilities in computer systems and applications that will expose confidential information. The relative value compared to the risks involved is clearly in the eye of the beholder.

Over the last several years, attacks have matured, generating more intelligence and offering a deeper level of access into critical business systems. The increasing speed of information exchange and the drive to integrate partner systems makes this issue even more urgent. Government agencies face unique issues related to national security, while businesses and governments face the difficulties of IT cleanup, legal fees, notifications, lost confidence and an increased customer service load.

To many security professionals, the identity and motivation of hackers is less important than identifying, prioritizing and eliminating the overall risk to their organizations caused by software-security vulnerabilities. A pervasive lack of consistent security exists within applications throughout almost every organization, which virtually ensures attackers' success.

Despite the different types of hackers and the varying data targets they seek, hackers rely on similarly malicious technologies to retrieve information. Hackers worldwide are inventing and executing new exploits and techniques to circumvent today's security technologies in their efforts to break the weakest links in the security chain. Some hackers collaborate -- sharing or finding tips and tricks on the Internet -- while others work alone, hoping to identify and capitalize on unexposed vulnerabilities or design flaws before countermeasures can be created.

Taking Aim at Insecure Software
Many of today's hackers seek the path of least resistance and aim first for low-hanging fruit. As private-networking technologies have become more widely adopted and networking security has improved, hackers increasingly have turned to the least secure targets within organizations -- software applications. Analysts estimate that applications experience almost 75 percent of all new attacks.

Today's end-users are bombarded with malware, viruses, phishing attacks and other social engineering attempts, and systems are infected with root kits, keystroke loggers, logic bombs and spyware. The most successful attackers combine the latest tactics with rapid exploitation of newly discovered security weaknesses, taking advantage of busy network and system operators who