The Inevitability of Hacking
I beat myself up this morning. It happened as I was reading the latest Microsoft Security Update Guide. The guide has some charts from FIRST’s Common Vulnerability Scoring System (CVSS) on the severity of security vulnerabilities.
I realized as I read through the document that we are still in the very early stages of software security awareness. Looking at the charts you will notice that more than 50% of discovered vulnerabilities are considered high severity. Moreover, more than 50% of vulnerabilities are also considered low complexity exploits. This means that anybody with time can still write software that breaks some kind of application running on your PC, or Mac, or Linux box, or phone.
That’s probably not big news to anyone who reads this blog. So I’ll tell you why I really beat myself up. It’s because I suddenly realized how futile it is for me to complain about cybercrime. Some people will always try to break whatever we build. It’s apparently coded into human DNA. Additionally, it’s really hard to prosecute someone in St. Petersburg if they break into a system in St. Louis. You know all of this too.
I’ve finally figured out that the ONLY thing we can reasonably do right now to significantly reduce hacking is to build more secure software. This is based on the data.
Hacking hasn’t slowed down in the past 5 years, it’s continued to increase. However, the most notable trend we’ve seen is that the exploits have moved away from targeting the OS and toward applications. Buffer overflows are less common as we’ve used tools to correct those problems. Now it’s SQL Injection and Cross Site Scripting. We are also seeing that the easiest way to compromise a machine is not directly through the OS, but through an exploitable driver.
None of the changes in hacking have been driven by a law enforcement initiative. It’s all been driven by more secure software. That shouldn’t be a surprise, but it should be a call to action.
I promise that I won’t ever say “Why can’t we all just get along?” when it comes to attacks over the Internet. Even though the original inventors of the Internet seemed to assume that fiction, it’s been proven wrong for more than 30 years. Instead, I’ll begin asking every developer I know to build stronger software so that we can protect against the inevitable side of software – the cracker.
Jim Molini, CISSP, CSSLP
