January 2009

Think security first, system second

By Gregory Hale, InTech, Editor

Dan O'Dowd seems like the kind of guy you would see pushing a shopping cart in the produce section at the supermarket, just an ordinary guy going through life.

That demeanor all changes when he starts speaking. He can scare the living daylights out of anybody. That unassuming, person next door exterior goes away.

A French bank reported an employee hacked into the system, and the bank ended up losing $7 million; TJ Maxx was hacked and lost about 40 million VISA and MasterCard accounts; French President Nicholas Sarkozy's bank account was hacked; the White House network was repeatedly hacked.

"These are just a few things," said O'Dowd, founder and chief executive of software and security provider Green Hills Software during a talk at his company's Technology Summit 2008 in Santa Barbara, Calif. "Most attacks have been covered up, so no one will know. There are plenty of dangerous people out there."

Hackers want to get in to garner as much data as possible and either steal information or money or anything they can get their virtual hands on. They will be invisible.

"There are people that hack in, and you don't even know about it," O'Dowd said. "Almost any enterprise can be hacked into for as little as $25,000," he said.

O'Dowd added there are four points of vulnerabilities: Human interface, servers, embedded end points, and networks.

"There are thousands of vulnerabilities in your system today that won't be addressed for years, and hackers are learning about these vulnerabilities every day," he said. "They stay one step ahead."

"That is what security is all about: Out running the bad guys," said Adriel Desautels, co-founder and chief technology officer at Netragard.

If a person or people have the motivation, there is no real problem getting into a system, Desautels said.

"Our average time to penetrate a system is between 30 seconds to a minute," said the co-founder of Netragard, a security provider that employs WhiteHat security experts.

For a manufacturer, that is not a positive thought.

Companies need to look at security in a different light. Instead of building a system and then checking it for security, they should start with security then build the system, said Jimmy Sorrells, vice president of enterprise products at Integrity Global Security, a Green Hills Software subsidiary.

"Security is backwards; it is broken," Sorrells said. "Security is the first thing you should do. You get security by building security."

The foundation for a user's system has to be secure. Security cannot be an after thought; it needs to be the first thing a manufacturer has to think about before putting together its system.

While no system will ever be truly safe, a system focused on being secure from the start stands a much better chance to stay up and running and fending off attackers than one you purchase before adding in some security.

Hackers want to take what you have worked hard to produce. In most cases, a victim is easy pickings for the cyber bad guys. Please do not think if you have a firewall you are safe. That is just not true.

Do not let hackers take control. Just listen to O'Dowd.

Talk to me: ghale@isa.org or (919) 990-9275.