As the widespread concern over the Heartbleed and GoToFail bugs has recently demonstrated, even seemingly impenetrable industry giants like Apple and the hugely popular OpenSSL cryptographic software library are not immune to determined ‘hacktivists’. It seems that almost every day we hear of a new cyber security threat.
It’s no wonder then that Gartner predicts that worldwide spending on information security will have reached $71.1 billion by the end 2014, an increase of 7.9 percent from last year, with the data loss prevention segment recording the fastest growth by a whopping 18.9 percent. So don’t be surprised if the burning question on your customers’ lips is “how will you protect my data against cyber attacks and bugs?”
As our reliance on social, mobile, analytics and cloud (SMAC) technologies grows, impressive, effective security methods are fast becoming a competitive differentiator in all industries and the recent FBI and Secret Service revelations about their investigations into the cyber attacks on major banking institutions such as JPMorgan Chase, has only served to fuel the fires. So how are the most switched on, savvy businesses protecting their data in this new digital age?
Pieces of 8
Well believe it or not, “Bug Bounties” are fast becoming big business with leading organisations – for example, Microsoft – offering “white hat” hackers cash prizes between $50,000 and $150,000 for discovering and fixing bugs in Windows 8.1 and Internet Explorer 11. In direct response to Heartbleed and GoToFail, Firefox offered $10,000 to any community spirited hacker who could find and fix critical security loopholes in the code for their new certificate verification library which forms part of Firefox 31, released in July this year.
Facebook’s Bug Bounty Page currently has 13K “likes” and the social media behemoth has a special thank you page devoted to their hacker helpers. According to Facebook’s director of policy for EMEA, Richard Allan, the company believes that white hat hackers should offer insights into potential security threats or provide “responsible disclosure” simply for the greater good and a cash prize should not be the driving motivation. However in reality, it’s clear Facebook also realises the monetary value of the benevolent hacktivist as, when Brit, Jack Whitton discovered a gaping hole in Facebook’s text messaging system that potentially exposed member phone numbers to all and sundry, they paid him the handsome sum of $20,000 for preventing a potential security disaster.
If offering a bounty to the fastest independent hacker in the Wild West all seems a little too Josey Wales, then you could decide to hire a full time Certified Ethical Hacker (CEH) with a qualification from the EC Council, an organisation that has certified over 87,896 security professionals including IT experts from the US Army, the FBI, Microsoft, IBM, and the United Nations. CEH qualification is vendor-neutral and students learn skills including penetration testing, footprinting & reconnaissance, as well as social engineering. They also become proficient in creating such monstrosities as Trojan horses, backdoors, viruses and worms and learning how to deal with denial of service (DoS) attacks, SQL injection, buffer overflow, session, Web server and Web application hijacking. System hacking, cracking wireless encryption, and evading IDSs, firewalls, and honeypots complete the comprehensive course. Depending on their relevant experience and qualifications you can expect to pay these penetration testers between £30,000 and £60,000 in their first year of employment.
All Hands on Deck
Although Bug Bounties and employing a full time hacktivist are both perfectly viable options, many companies don’t have the budget, the requirement or the inclination for either, and for these the concept of Crowdsourced testing in the cloud might appeal more. Based on a TaaS framework, Crowdsourced testing enables you to test your products on a diverse range of platforms, all over the world, on an ‘as needed’ basis. In a controlled, secure, quality environment it’s an expeditious, cost effective solution that can help to eliminate the risk of bugs.
It does however have certain disadvantages which should be considered from the outset. If you are aiming to improve security then placing your products in the hands of a vast number of people who would not have otherwise seen it could be seen as compromising confidentiality and security rather than bolstering it! Secondly, having a large group of Testers based in different countries can mean that you encounter language barriers and difficulties in communication. In addition test coverage can be difficult to guarantee, meaning that a higher degree of management is required to ensure the desired level is met. The other factor to consider is how to pay the testers, as the danger of paying people per bug found, is that testers may overlook the task of unravelling large complex bugs in favour of finding several smaller ones, simply to earn more cash.
The Trusty Sea Dogs
For most companies, the simplest option that offers the most satisfactory ‘bug-free guarantee’ possible, is to partner with a dedicated testing company that has a wide range of different resources available as and when you need them. As a Group, Sogeti offers a complete range of Cyber Security services to accelerate your go to market, protect your assets and reputation, and comply with standards and regulations.
Attacks against operational systems and infrastructure can cause you a direct loss of business or revenue. Your customer loyalty could be lost in a moment if hackers intercept your electronic communications and steal sensitive corporate and customer information and of course you could also end up with a dreaded lawsuit and a hefty financial penalty. To help companies and public organisations to bring Cyber Security at the right level, Sogeti has developed a systemic approach to Cyber Security that combines Assessment services, Consulting, Architecture and Solutions Deployment, Monitoring capabilities, Analytics and Mitigation & Remediation services.
So, if trying to convince a blackguard to wear a white hat or putting a bounty on the head of a bug smuggler is not really your MO, finding the right testing partner with global resources and on demand services is likely to be the most cost effective and comprehensive way to combat the threat of treason on the high seas of cyber security.