James.qxp Nov Dec 2018 web - Page 29

They probably won’t start stealing data immediately. They may wait weeks or months to ensure they
haven’t been caught. Ultimately, they begin to remove
the target’s data— slowly at first to ensure they do not
raise any alarms. The Ponemon Institute’s research
shows that hackers can infiltrate a system in a matter
of days, but it takes nearly six months to discover data
is being removed and another two months to
stop an attack once a company is aware of the breach.
How do hackers find the information needed to
scan for software flaws? More often than not from the
good guys. As soon as a security researcher (known as
a White Hat or ethical hacker) or software vendor (think
Microsoft, Oracle, IBM) discovers a bug in a piece of
software, they publicly announce their findings
and release a patch to fix the flaw. As soon as a patch
is released, a race begins between the
hackers using their automated tools to look for the
new flaw and the companies that may not even know
they have the software bug. Thus, before you can
administer your patch, the hackers have already reverse
engineered it and found their way in!
N OV E M B E R / D E C E M B E R 2 0 1 8
The Problem with Patching
Patching the enterprise software that hackers use to
breach a company is not as easy as applying the automated updates you get on your phone or laptop. Even if a
company knows about a software bug, it can take weeks,
months or even years to fully patch an organization’s software stored on company servers. That’s because most
companies still rely on security techniques that have been
the go-to approach for decades. These methods are manual and require hands-on-keyboards to fix known flaws.
The results of not patching known software flaws is
well documented. Research firm Gartner states that since
2016, 99 percent of successful cybersecurity
breaches have been directly tied to software flaws known
for at least one year. If you need proof
of Gartner’s claim, do another headline scan.
Anthem Healthcare, Target, Yahoo!, Uber, JP Morgan
Chase, Equifax and many more companies have been
attacked using known software flaws.
Other headline grabbing attacks— like the most recent
breach at Facebook— are linked to software flaws that had
not yet been discovered but were exploited using
well known attack methods. Consider the thermostat on a
fish tank used to infiltrate a Las Vegas casino or
the 2016 attack that enslaved 600,000 webcams, home
game systems, and other consumer devices to launch an
attack that crippled large swaths of the internet in the U.S.
New Tools; Better Results
The volume of both software and flaws has long since
outpaced the ability of people to manually fix the number
of software bugs that threaten the security of organizations and consumers. Fortunately, we do not have to rely
exclusively on manual processes any longer. The latest
class of cybersecurity tools are automated, more accurate, don’t slow down an application (the bane of every
consumer and technologist) and require virtually no routine maintenance.
Where traditional cybersecurity tools rely largely
on guesswork (heuristics) to recognize an attack, the new
class of solutions can determine with 100 percent accuracy if an attack is an attack and block it before any damage is done. These same tools have the advantage
of being able to fix flawed code on the fly, eliminating the
need for manually patching flawed code. The net effect of
this instant patching is to reduce the time needed to fix
a known software flaw from weeks, months or years to
minutes, giving cybersecurity teams a fighting chance in
the race against professional hackers.
By the way, organizations also tend to run old, out-ofdate software because it’s important to their daily operations. At some point, though, it can no longer be updated
or upgraded. Faced with having to re-write an application or discontinue it— options that send chills down the
spine of anyone who relies on software to operate their
business— executives usually choose to roll the dice and
continue to run the older software.
The same cybersecurity approach that can instantly
patch known software flaws can also virtually upgrade outof-date enterprise applications without having to even
touch the source code of the application. These tools save
time and development costs while improving compliance
and increasing security protections.
Bottom line: The end result of the new class of cybersecurity tools is exactly the outcome readers have
been seeking and the protection consumers deserve.
John K. Adams is the CEO of Waratek, an award-winning
application security company based in Atlanta
and Dublin, Ireland.
N OV E M B E R / D E C E M B E R 2 0 1 8


Powered by

Full screen Click to read
Paperturn flipbook viewer
Download as PDF
Shopping cart
Full screen
Exit full screen