June 28, 2011
US Works To Protect Businesses From Attack
The growing threat of cyber terrorism against businesses and their websites is being tackled head on by the US government, unveiling a new system of guidance on Monday with the goal of helping software behind websites, power grids and other services be less susceptible to hacking.
The US Department of Homeland Security's (DHS) system includes an updated list of the top 25 programming errors that enable hackers to gain access to computer networks. The agency is also adding new tools to help software programmers eliminate the most dangerous types of mistakes and enable organizations to demand and buy more secure products.
The effort has been in development for three years, according to Robert A. Martin, principal engineer at Mitre, a technology nonprofit organization that conducts federal research in systems engineering, that was behind the development of the program.
The costs of programming errors that make software open to attack was highlighted by the numerous recent cyber attacks that have resulted in theft of credit card info, user names and passwords from business, government and banking websites.
During an online news conference, government officials noted that many stakeholders stressed the urgency for better training and education for people writing software. Officials said that organizations are under constant attack.
Homeland Security hopes that the program will make it easier for companies and agencies to better secure their networks and contribute to building a safer global network.
"We're going after root cause issues," a senior DHS official, who spoke on anonymity, told the New York Times. "You can make your enterprise more resilient from the people who would attack you."
Jeremiah Grossman, chief technology officer for WhiteHat Security, told the New York Times that the guidance could encourage a long-awaited shift in the technology industry's approach to computer security. Many organizations do not recognize that software security should be the focus, he said, "which is why you see the bulk of the security dollars spent on defense flowing to firewall and antivirus products, and precisely why the current wave of breaches keep happening."
Currently, when owners of small businesses buy software or hire a firm to build a website, it is difficult to know whether the programs are really secure or not, said Alan Paller, director of research at SANS Institute, a computer-security organization.
He emphasized during the online presentation on Monday that this was a "first step" and much work still needed to be done, especially with training.
The information on the new program, which has been compiled on a special website that the public can view, will tell people what to look for in setting up a secure website and how to assess potential errors in programming, he said. It also sets up a scorecard, so that companies looking for a firm to set up a website can check their security score.
The Top 25 list, created by SANS and Mitre with the help of top software security experts in the US and Europe, includes the top programming errors that have been used in many recent attacks.
The top programming error is one that allows so-called SQL-injection attacks on Websites, which were successfully used by hacking group LulzSec. It successfully used the flaws to cause databases to deliver user names and passwords, including those from the FBI's InfraGard program and NATO's online bookstore.
The new framework will also highlight which programming errors are of greatest concern to banking and commerce sites.
The framework is already beginning to show up in some companies that make tools to test software for dangerous programming errors, said Paller. Eventually there will be services that help businesses evaluate whether the software they are considering has withstood rigorous scrutiny.
Avoiding programming errors is crucial in fending off today's cyber terrorists, said Paller. "This is the only way to get around "Ëzero days'," referring to attacks that make use of software vulnerabilities that are unknown and, therefore, cannot be fixed quickly with patches. "The only possible defense is to stop the error from being in the software in the first place."
On the Net: