A recent article on Internet Evolution , written by Gideon Lenkey quotes the SANS Institute: “application software is a major vulnerability for enterprises“. The root cause of application security vulnerabilities is bugs (usually design bugs but often implementation defects).
A research study performed in 2007, analyzed over 180 data theft events. The empirical data shows that software bugs accounted for over 55% of the contributing vulnerability to the event (See the Business Threat Modeling study) but 100% of the data theft events were done by people who were able to exploit the application software vulnerabilities – usually in a rather simple-minded way – for example, by typing in the account number of a banking customer in the query string of a home banking Web application, it was possible to discover information about other bank customers. All of the software security vulnerabilities were in the SANS Top 10.
Less than 5% of the data theft events involved social engineering but almost all of the data theft events involved a trusted insider colluding with a malicious outsider.
The study considered why organizations don’t do more to improve their production software quality.
- Users are conditioned to accept unreliable software on their desktop and development managers are inclined to accept faulty software as a tradeoff to meeting a development schedule.
- Executives, while committed to quality of their own products and services, do not find security breaches sufficient reason to become security leaders with their enterprise systems because:
- They usually receive conflicting proposals for new information security initiatives with weak or missing financial justifications.
- The recommended security initiatives often disrupt the business. ( “Top-down Security”, Alan Paller,SANS Institute)
The one vulnerability that is politically correct to mitigate is the trusted insider – employees and contractors. An advantage with working at the human level is that responsibility and action can be shared by IT with HR and contracts management. Ethical behavior for employees can be reinforced using cheap and simple methods such as a 1-2 page AUP (acceptable usage policy).A hinge factor for AUP is monitoring and enforcement – when monitored and enforced – an AUP is a hig cost-effective security countermeasure against the vulnerabilities contributing to a data breach. More on acceptable usage policies in this article – Writing an Internet Acceptable Usage Policy