You don't have to look far to find yet another news story about a company or organization getting breached or hacked in some way. According to the Identity Theft Resource Center, by September 30, 2021 the number of data breaches had already exceeded the total number of breach events in all of 2020. Have you ever wondered why all these breaches keep happening? This blog briefly covers some of the reasons why.
As an IT professional, I work with security concepts every day, whether it's dealing with passwords, multifactor authentication, permissions, firewall rules, or what have you. It's clear how important security is within IT, but I wasn't always as interested in IT security as I am these days. My interest started about seven years ago and grew gradually over time. Back then, I became responsible for an application used for Single Sign-On (SSO), and I worked on it with another admin from the security team. I found this security work more engaging than the IT work I was doing at the time, so I began to take an interest in learning more about IT Security.
As I paid more attention to IT Security, I began to better recognize the impact that bad security has on the world. I followed the news and saw breach after breach, watched the rise of ransomware, and eventually as I learned more, I realized how vulnerable all computers are. I wanted to understand why there are so many IT Security problems. The more I learned, the more I recognized that there are certain fundamental issues with IT Security that make securing computer systems incredibly difficult.
Why IT Security is Difficult
When it comes to IT Security, offense is far easier than defense. Attackers trying to gain unauthorized access to a system only need one way in, while defenders must make sure they have all their bases covered. If an attacker encounters a system that is well-defended, they can shift their attention to a weaker related system to find an easier way in, or move on to another target.
All software has bugs. When programmers write software, the bigger the programs get, the more bugs they will have. More lines of code equal more bugs. Varying estimates put the number anywhere from 20 to 70 bugs per 1,000 lines of code, with fewer bugs making it into released code (per Coralogix / CMU via Wired ). Some of those bugs are going to be security related. Often the focus in software development is on adding new features, without enough attention given to the security of those features, or the security of the existing code base.
Here’s some statistics on popular software:
- Windows Calculator is 35,000 lines of code.
- Windows 10 is about 50 million lines of code.
- Google’s code base is roughly two billion lines of code.
- All software is guaranteed to have bugs.
Mitre Corporation publishes the top 25 Most Dangerous Software Weaknesses every year, using a ranking algorithm that uses data from the year’s CVEs, which are Common Vulnerabilities and Exposures (when new vulnerabilities get discovered and published, they get assigned a CVE with all the related details). This is a list of the top general weaknesses that are exploited by attackers. It’s interesting that in 2021 SQL injection is still in the top 10, at number six. Some classes of vulnerabilities can be eliminated by using newer programming languages like Rust, which can guarantee memory safety. But lots of software is written in older languages that are not memory-safe like C and will likely never be rewritten.
One of the things programmers learn is not to reinvent the wheel. If code already exists that does what you need it to do, use that code, and add whatever custom code you need for your program. This saves people a ton of effort and time, and allows lower skilled programmers to take advantage of code written by highly skilled programmers. It's easy to see the benefits of reusing code versus writing things from scratch.
That said, there are arguments for reinventing the wheel! Or at least for auditing any source code you're using. Recently with the Log4j vulnerabilities, we’ve seen what can happen when lots of software relies on a vulnerable library. Even though it’s open source, no one audited it, so when a major vulnerability was introduced with a new “feature,” people didn’t realize, and everyone had to scramble to fix things once the vulnerability became widely known. Modern software is often stitched together from various libraries, so many programs have dependencies that may never get audited.
In 1984 as his acceptance speech for the Turing award, Ken Thompson gave a short talk called “Reflections on Trusting Trust.” He detailed a way to alter the C compiler, the program that translates C code into machine code, in a way that causes it to mis-compile certain code, and when it does, it inserts a bug into the program which acts as a backdoor. Once you've done this, if you replace the C compiler with your bugged version, then any time anyone uses it to compile C code, it will insert bugs into the compiled binary. There are no traces of these bugs in the source code, the bugged compiler will automatically insert them into the binary. Thompson’s conclusion is this: you can only trust software that you write yourself. Now obviously that’s not feasible for everyone, ultimately, we have to trust software that we did not create.
Solutions exist to trusting software at scale. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed. However, users can still be tricked into running unsigned code. And it's important to note that just because a piece of software is signed doesn't mean it's not malicious, and it has nothing to do with whether the code has been audited. Also, certificates have been stolen in the past and used to sign malware.
Aside from software vulnerabilities, there is always the human factor in security. People can get phished in a variety of ways and give up their credentials or system access to remote attackers. Other forms of social engineering can lead to hacks or data breaches as well. People are human and humans make mistakes (and so do computers, which are created and programmed by humans).
But it's not about reducing security incidents to 0. Not only is that unrealistic, it's also impossible. Security is about reducing your risk to a level that you can accept. It's important to point out that the primary objective for most businesses is to make money, not to be as secure as possible. Businesses can always spend more on security, but that may reduce profits, and higher levels of security may even impede business. Like IT, security is often viewed as a cost center rather than a revenue generator, and it can be challenging to prove the value of investing additional resources in security.
Things don't have to be that way. IT and IT Security done well benefits your business. Why not have excellent IT be a key part of your competitive advantage? Contact iuvo Technologies for help today!