“The revelation that hackers were able to use widely-known vulnerabilities to burrow deep inside JP Morgan’s computer systems-compromising some 76 million household accounts and 7 million small firms- shows that software with very basic flaws is still in widespread use at corporations, providing an easy route for experienced and amateur hackers. What is even more disturbing is that, with so many basic flaws in commonly-used software, this attack may just be a ‘reconnaissance mission’ to prepare the ground for much worse future attacks.
We now know the hackers gained a comprehensive A-Z of the apps and programmes that run on JP Morgan’s systems which could illuminate vulnerabilities in other parts of the bank, allowing hackers to launch a more serious attack at a future date. Just as importantly, hackers may be sharing their knowledge, allowing other groups and individuals to conduct their own attacks.
With a detailed knowledge of the inner workings of the bank’s computers, these hackers will now be in a race to mine the bank’s systems for more chinks in the armour which can be exploited, and the bank may not be able to find all the flaws in time.
This highlights a fundamental problem putting major corporations and banks at risk from hackers; they depend on a vast array of software, which often has myriad built-in security flaws buried in millions of lines of code. This is essentially putting banks-and the vital personal data they hold-at the mercy of poorly written software. With a ballooning array of ‘joined-up’ software, networks and systems, each with millions of lines of code, and new applications being released every week, this problem will continue getting worse.
Even worse, hackers are able to get inside major corporations like JP Morgan just by cross-checking the programmes they run with widely-known vulnerabilities because corporations are failing to run proper penetration-tests of their systems to find all the possible trapdoors through which hackers could get in which means they often have little visibility over the state of their own defences.
This means hackers can find multiple ways to break into major corporations and banks simply by finding out what apps or programmes they use, because there is now a lucrative ‘black market’ in racing to identify vulnerabilities which can be ‘traded’ around the world in moments, and even bought using fraudulent credit cards. With ready-made exploit kits for known vulnerabilities now available on public bulletin boards, anyone with a basic level of competence can potentially hack into multinational corporations.
If we are to address this, we need a fundamental change in the way software is developed and used. The root cause of poor software development is poor education. Universities need to recognise that there is no point teaching computing students to design highly functional easy-to-use software if it is also easy to hack into. We need to integrate software development with security at school and University level to ensure that we are not just teaching how to create data but how to secure it. Otherwise software developers will continue churning out apps with the same basic design flaws, opening more and more businesses up to attack.
Banks and corporations also need to ensure they are not cutting costs on security by outsourcing software development which means they have no idea if it is full of holes. They should be regularly ‘pen-testing’ all systems, apps and networks and searching for flaws to ensure they stay ahead of the ‘black market’ hackers constantly ferretting out new chinks in the armour.
If banks and corporations fail to take these basic steps we could reach a tipping point where small businesses and consumers start to lose confidence and trust in the entire digital economy. We may see also see increasingly stringent regulation, and ever more draconian laws and punishments as governments attempt to raise standards by fiat."
-Dr. Adrian Davis, Managing Director, (ISC)2 EMEA