Embedded Files
As Americans become more and more reliant on modern technology, we also become more vulnerable to cyber attacks through cyber security vulnerabilities in corporate, government and military systems. The problem is that we have been conditioned to believe that this is normal.
With technology bringing the "Internet of Everything" into existence, today’s world is more interconnected than ever before. Just a few years ago no one could imagine that the Internet would touch our lives in so many ways. Yet, for all its advantages, with the present state of our technology, increased connectivity brings increased risk of theft, fraud and even physical harm.
With technology bringing the "Internet of Everything" into existence, today’s world is more interconnected than ever before. Just a few years ago no one could imagine that the Internet would touch our lives in so many ways. Yet, for all its advantages, with the present state of our technology, increased connectivity brings increased risk of theft, fraud and even physical harm.
First a little background.
In the 1960's when computers were extremely expensive, companies offered a service of running your programs and store your data on their main frame server, which you would connect to a low powered, "dumb" terminal, a centralized system. Then in 1981 the IBM personal computer was introduced. In a very short time PC's became more powerful than main frame computers and made it economical for companies, and eventually individuals, to use PCs to manage and automate all aspects of their business. This transformed computer systems into a more distributed model where each individual PC became more independent and possessed greater processing power.
Why we can't stop hackers from Hacking
In 1981 Microsoft introduced MS-DOS and in 1983, Microsoft announced Windows, a graphical user interface (GUI) for MS-DOS. It was based on MS-DOS and did not have any built in networking capability. In 1992 Microsoft introduced Window for Workgroups (with network support) and released numerous additional versions over the years, including Windows 95, 98, Millennium, NT, 2000, XP, Vista, Windows 7, Windows 8 and Windows 10. It is estimated that Windows for Workgroups had 3 million lines of code and Windows 10 is estimated to have roughly 50-60 million.
A software bug is a failure or flaw in a program that produces undesired or incorrect results. It's an error that prevents the application from functioning as it should. All code has errors and the industry average is 10-15 bugs per 1000 lines of code. Microsoft is no different. This means that Windows 10 may have had 500,000 to 750,000 bugs in the original release. Microsoft undoubtedly spent millions of dollars to eliminate as many coding errors as possible and used millions of beta testers to discover as many bugs as possible but in the end it was shipped with flaws. In the real world all software is put into production with flaws. Not all flaws are discovered and not all result in security vulnerabilities, but many do.
In the year 2000 Windows dominated the computer industry with a 97% global market share of operating systems and still holds a commanding lead. When a hacker develops a virus or other malware they want it to succeed against the largest number of computers. Because of Microsoft's dominance they are the most desirable target.
Since 1999 there have been 5083 serious security vulnerabilities reported in Windows products.
When Windows was developed security was not as important as it is today. Windows has evolved over 34 years and I believe the primary focus in the beginning was more on operability, not security. Microsoft has stated several times over the years that each current version was a complete rewrite and no legacy code remains but some of bug reports in Windows 10 (e.g. WMF image handling) are based on code that was included in NT (2003). With 50 million lines of code there is a strong incentive to reuse legacy code. One 17 year Microsoft veteran estimated that it would cost $18.75 billion to write the current Windows from scratch. Security has a higher priority today but how many lines of code were written years ago.
Let me be clear, I am not picking on Microsoft. They have attracted much wrath and criticism over the years but in my experience it is much harder to produce than to sit back and criticize. Microsoft has produced a superior product and in my opinion they have had the best desktop operating system in the world for years. I have used every version since MS-DOS. It has more functionality and available software than any other operating system and is undoubtedly the industry leader, but being the leader puts the focus on them, sorry. They are probably better at managing cyber security in the software development process than most but making all that code secure is an almost impossible task.
Its all about the Code.
All security vulnerabilities are in the Code. Is it the programmers fault?
Why can't we write secure code?
Vulnerabilities start, experts agree, because developers don't understand how to build security into the code they write.
"There's a lot more acceptance of security as part of the process now, but historically developers have never been responsible for security," "We all understand locks and keys, but not many of us are locksmiths. That's where most developers are." "Developers are builders and artists," he says. "They like creating, not tearing things down, to identify flaws. Security is not a natural thing for most of these people -- it's a different mindset."
But nearly all experts agree that no matter how strong the training effort, the average developer will never be very security-savvy. "They're always going to be more focused on code quality and trying to meet their deadlines, If I'm a developer, as soon as I've been assigned a project, I'm already behind. If there's a faster way to do something, they're going to take it, because for them speed is more important than security."
if the average developer can't become a security expert, how can organizations ensure the code written by that developer is vetted and tested to reduce vulnerabilities?
What's wrong with secure software development? The short answer is resources," Fagan says. "These programs have the reputation of consuming large amounts of time, people, and money. We need programs that cut out all the fat. The secure coding program needs to fit the size and capabilities of the organization. If we ask too much from the average developer, we're going to get nothing at all."
--------------- work in progress, to be continued.
The Internet was originally designed to be a dynamic resilient wartime network that could re-route itself if any node or connection point failed and has evolved into a very reliable global network of networks. It was designed for operability, not security. Privacy was not a priority in the beginning but now is a major concern. In the early 1980's when the IBM PC was introduced, the computer industry was like the wild wild west in the 1800's. Many different players were competing to become the industry standard and the primary goal was performance, not security. Computer operating systems and application software were not developed with security in mind and no one had the foresight to envision the problems we now have to live with. The problem was that no one was in control and no one had an overarching plan to follow, vendors had to react to unpredictable market forces quickly or die. The competition was fierce. Making software secure was no a priority.
"The Cloud"
Today the scale is beginning to tip back the other way. Companies are beginning to realize that it is more economical and more secure to use the hardware and network infrastructure of Cloud Service Providers, such as Amazon, Microsoft and Google to host their application and data servers.
Desktop applications are moving to the cloud as well. Just a few years ago using a cloud based word processor or spreadsheet was not practical. Performance was simply unacceptable. But today it is a real possibility for 95% of users. Companies are beginning to see the cost savings of not having to manage the endless configuration issues, software updates and virus management on thousands of personal computers. Personal computer sales are decreasing and a move to mobile devices and lower powered browser based computers is becoming the new standard.
This evolution back to a more centralized system would not be possible without our present day high speed Internet connections. Bandwidth has increased from a 300 megabits per second with a dial-up modem to current speeds up to 1 gigabyte per second. That is over 3.3 million times faster, and speeds are increasing exponentially.
The Security Game is changing.
As technology evolves, economic drivers push more and more organizations to move their applications and data to the cloud. Although cloud solutions can save money and improve accessibility for remote users, it can also leave your sensitive data vulnerable to new security threats. With the lack of governance policies and security practices for the transition to cloud computing, it is important to consider how this move can affect your organization's security.
The Solution to the Problem
The Solution to the Problem
How to Shorten the Journey.
Chrome has 5 million lines of code
Very few, if anyone, could have predicted the level of dominance digital devices have in our lives today.
The complexity and number of connections to different systems is becoming incomprehensible to the normal person.
Its All About the Software
Cyber security is like insurance, no one wants it until they need it. It is hard to calculate any return on any investment in cyber security. People tend to not worry about cyber security until they can't avoid it, usually after some catastrophic event such as Target's $300 million dollar Target debacle in 2013. When they do think about cyber security, they don't really understand what the real problem is. The computer industry tends
Security threats rise along with usage
Back in 1988, the Morris Worm was the first major attack on the Internet , disabling 10% of the Internet's 60,000 host computers. Today, hundreds of more sinister attacks are aimed at Internet users each day. Indeed, the U.S. Computer Emergency Readiness Team (US-CERT) stopped counting the number of security incident reports it received in 2004 because attacks against Internet-connected systems had become so commonplace that it felt this figure was getting too big to track.
The WannaCry ransom ware attack was a worldwide cyberattack by the WannaCry[a] ransom-ware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. Overall, 98.4 percent of the successful WannaCry attacks were on computers running some version of Windows 7. According to Kaspersky Labs WannaCry went after the most popular operating system in use today. Windows 7 is run on almost half of all computers (48.5 percent).
Report abuse