When I read last year that a Russian crime ring has amassed 1.2 billion combinations of user names and passwords, I wussed out. “The black hats are winning!” I cried.
Fortunately, Alex Holden is here to drop some knowledge on me. Even though the information security company that he founded, Hold Security LLC, was the one that blew the whistle on those Russian hackers, Holden believes that cyber-criminals are struggling to score big paydays more than one might think.
Of course, he is anything but naïve. As we saw in part one of my email interview, Holden says we are in “an age of mass exploitation of vulnerabilities.” Hackers are doing less picking of individual targets, and putting more emphasis on industries, major technologies and other components that “can be exploited in bulk,” he told me.
In Part 2 of my interview, Holden weighs in on issues such as how testers can improve their games in order to help the war against the bad guys. I started, though, with a question that has bothered me for a while: Why do these huge security glitches keep cropping up in the first place?
ServiceVirtualization.com: Why does society seem to get hit with mega-bugs on such a regular basis? Is it because, say, there is simply too much software to test properly?
Holden: We should consider the advances that technology and security made over the past two decades.
We are no longer tolerant of extended downtime and crashes. The amount of bugs in most software is now minimal and our security testing tools are much better.
We are still not perfect though. Technology itself is evolving faster than security defenses. I don’t believe that we are getting more vulnerabilities, but we are acutely aware of the major bugs. And they have been “weaponized” even more to have a devastating impact.
What trends in cybercrime and cybersecurity will affect the software testing industry this year? What will be the impact of those trends?
We believe that we are winning against cyber-criminals. Our systems are more secure than ever, and even if compromised, the ability to convert stolen data into tangible profits (i.e. cash) is significantly diminished. Quantitatively, attacks are on the rise, allowing mass abuse and/or resale of stolen data as a viable criminal activity.
Any vulnerabilities that may lead to mass exploitation are fetching premium prices on the black market. Perhaps the popularity and success of some software will become a main determinant of it being targeted by hackers.
In a recent report, PwC said that “the cyber-security programs of U.S. organizations do not rival the persistence, tactical skills and technological prowess of their potential adversaries.” Are we losing the war against cyber-criminals?
Hackers are not winning. They are struggling, but as a wounded beast, they are thrashing (and) trying to regain the past levels of ill gains. These wild swings hurt the most.
Let me explain. While it is probably true that more breaches happened last year than in the previous years, hackers are faced with a large problem – monetizing their ill gains. If they steal a credit card number, it does not translate to every available dollar on the credit line. It may be $100 to stay under the radar, maybe less, but most often nothing at all.
Credit card companies are more vigilant, as are the banks, retailers, and the overall user population. Hackers have to work much harder, specializing in certain tasks, while letting others do different parts of the crime. This cuts into their stolen booty, and they are looking for a bigger score.
What can the software testing industry, and Service Virtualization, do to help turn the tide against cyber-criminals?
Testing is the key to produce better results. Continuous end-to-end testing of all new components and regularly revisiting the old ones definitely helps. However, security testing should not just be a checkbox on a developers’ list. It is equally important to ensure the quality of software of a bug-free user experience as to a secure user experience. Testing should be customizable to every software feature and function instead of a generic checklist.
We got better, but we need to keep getting our skills and tools better.