Computer security threat
This year and the next few years, the main issues for many companies would be how to prepare for the next security threat or cyber attack. This is always a challenge as more and more “Hackers” are attacking company’s information systems on a daily basis. In the past, hackers are mostly software developers who are bore and want to do something for fun regardless of the consequences. Today hackers are mostly “Organized crimes” who recruit software developers to steal information such as credit card numbers, bank accounts, and company’s proprietary information, or do damage to company’s business (Sabotage, terrorism).
The main problem is most people in charge of information systems do NOT have knowledge or resources to manage them. According to the security review study of 25 developed countries around the world, they found that 75% of people in charge of government information systems are NOT software people, many of them are government officials who got promoted to the positions. The study also found that over 60% of private company also does not have good security policies, procedures and knowledgeable people in charge of security systems. That means both government and private companies are vulnerable to cyber attack.
As software is becoming larger and more complex because people keep adding to it and changing it. People want new features, new functions, new applications, and they all want it faster so most software project managers are focusing on deliver the software on time with more functionalities but few would pay attention to security. Today many softwares are connected to the Internet and it creates more vulnerability than before. Another issue is that with outsourcing, software development is done around the world, in all kinds of places. As people adding new functions, new components, they are adding more complexity to software system with more codes and it opens up more errors that “hackers” can take advantage.
Because computer security is a new field in software engineering, very few universities offer this training so there is a critical shortage of computer security specialist all over the world. Many officials and managers believe that they already have “Firewall” in place so their systems are secured. It is just like having a lock in your front door so you do not worry about people enters your house. The problem is firewall can stop some “Amateur hackers” but not “Professional hackers”, just like the door lock can stop some people from entering your house through the front door but NOT stop a thief who know how to get in your house from other places. Having firewalls is NOT enough. You need to have skilled resources to set policies, directions, procedures and manage your security systems, without them all money spent on security firewall or tools will be worthless. I believe that a robust security can only be delivered if there are skilled people in place to make it happen and it is critical to have more security training for all computer users. It is important that company should be focusing more on getting the skilled people with the right equipment in place to monitor and respond to security issues before cyber attack.
Moreover, company should focus on security-training program so more people are aware of this problem. Security breach is a frequent yet unintended mistake among software developers. When open an email or copying a string in memory, having a stack overflow in their code could all have serious consequences as they create a vulnerability that can be used to execute malicious code by an attacker. The malicious code may be used to spread a virus, a worm, or insert a back door on a machine to steal sensitive information or destroy all the files. According to a recent Carnegie Mellon study, 64 percent of vulnerabilities in the world are the result of coding errors.
I believe company should have a security policy in place to determine how security will be implemented. A security policy will define the level of security and the roles and responsibilities of users, administrators and managers. A security organization should also be established to monitor computing usages to alert of security issues (Virus, cyber attack etc.). Users should make sure that their computers operating systems and applications are patched with the latest service packs and hot fixes. They should not open email from unknown senders or unknown sources as well as block certain email attachment types such as .bas, .bat, .exe and .vbs. since they could contain malicious codes.
Sources
- Blogs of Prof. John Vu, Carnegie Mellon University
