A insider breach was reported at Compass Bank, see "Insider theft case at Compass Bank affected more than 1M customers". According to Compass Bank Web site, they have 420 full-service banking centers. Securing branch banking centers is an immense challenge for protecting customer data and financial applications. Branch banks may not have the security expertise and sophistication of larger institutions yet host sensitive applications.
-Vic
As a software security professional, it is a good thing that end users of security technology are beginning to position it as a differentiator in their own offerings. The security industry in general has had to produce subjective ROI or sell fear to support it sales. Application and data integrity will becomes increasingly important especially on the heels of a record setting year of breaches (CIO Today) . The way in which application providers add security to their products and services will be viewed as a differentiator. This not only true of enterprises, but with traditional software application vendors. Some examples of this trend are:
- Recent article, "Banks Using Security to Increase Customer Trust and Their Bottom Lines "
- Time Warner and others choosing Blue-Ray DVD format over HD DVD partly based on the better DRM controls, AACS.
-VicAccording to a recent McAfee threat predictions report , crimeware authors are returning to older techniques to deliver parasitic viruses. These viruses are able modify and inject code into application files on a disk. Software protection technology does prevent code injection and tampering threats, but ironically the virus writers are using their own protection technology to make their malware ever more difficult for AV providers to reverse engineer and deploy countermeasures.
-Vic
Today V.i. Labs reached a significant company milestone. We just announced our new funding and our plans to expand our business. This is a significant event for us and was only possible because we were able secure new customers and demonstrate the large market demand for software protection. Recently, we have secured contracts with large eVoting vendors, global mining software providers, as well as enterprise financial services. All of these organizations were concerned about their valuable or sensitive software IP because of competitive threats and selling their products into emerging high risk environments such as China and Russia.
In addition, our new investors viewed our solution as much more a product offering then the expensive and service-based alternatives that had been norm in the software protection market. We were able to demonstrate how we further differentiate our product by its support of Microsoft .NET Framework. Application providers are only just now becoming concerned about ease in which their source code can be accessed because of the .NET Framework architecture. Our product goes beyond obfuscation by providing active runtime protection as well as encryption for .NET code as well as consistent support for managed and unmanaged code.
-Vic
.
Interested announcement by General Dynamics and Secure Computing joining up to develop a hardware and software firewall. It underscores the sophistication of tanks as well as a new class of hacks targeted at the military. Obviously some key software on these tanks that require protection. The military already have anti-tampering initiatives to secure the software itself. Quote reinforces a trend we are tracking:
"Efforts to equip tanks with digital armor are expected to escalate, says John Pike, head of defense research firm GlobalSecurity.org. He says the U.S., Russia, China and other nations are developing ways to infiltrate the electronic networks of tanks, ships and planes."
-Vic
Although the details are scarce, the reported TD Ameritrade breach indicates malware was attached to an application database. If this did occur then the attack could have come from an insider or a previous network breach which allowed software to be injected into an application component. This attack would be almost impossible to detect with most signature based intrusion prevention systems. However, anti-tampering and runtime environment checks contained in software protection solution embedded within the application itself could have prevented this threat,
It’s our predication that security breaches will become more sophisticated and based on some of the same reverse engineering techniques used today in the software piracy scene.
Vic
Computer world article discusses the recent data and software sabotage caused by a former network engineer at Council of Community Clinics (CCC) in San Diego. In this scenario back-up data and software were deleted, but imagine the threat of a former employee with privileged access replacing key software with software containing injected malware. This type of attack may never be noticed because IPS and end point security systems would see it as a legitimate process.
Vic
I want to start a discussion on cyber security. Throughout the history of mankind there have been three revolutions – the agricultural revolution (when society grew from purely agrarian to rural and urban); the industrial revolution (when the steam engine amplified human strength); to the information revolution (when communications and computing extended the human brain and its interactions with its environment). I think it is safe to say that until very recently, computers didn’t do anything that humans couldn’t; they just did it faster (and didn’t get bored). We are just on the cusp of empowering computers to do things that our brains are not capable of doing either because of complexity or capacity. When we lose our ability to fall back on the brain (in case of an electric power failure) we are also exposing ourselves to the whims and taunts of computer miscreants (I think the term hacker has been transmogrified so seriously as to be meaningless at this point). So the quest ion emerges as to how we defend ourselves in these circumstances. Step one, and I apologize for being so blunt about it, is no excuse for such things as taking laptops home with tons of unprotected confidential data on it. There have to be both human and technological controls and standards which can not be breached – no way, no how. Then we have to try our best to design impregnable systems which can not be breached by even the smartest miscreant. Nice dream, but not practical. We can raise the bar, but they play by a different set of rules. It took several years to build the World Trade Center, but only about 15 minutes to reduce it to smoldering rubble. Unless we are going to encase all our computers in tungsten carbide and hide them behind twelve feet of lead – and connecting them to no networks, we will be in the same boat (sorry about the mixed metaphor). That suggest to me that where we have to head is to produce systems which can either heal themselves or have instincts (much like a dog) of what is going to be dangerous and avoid it up front. If you watch reruns of Star Trek (and I do), you can see what a system like that would look like, but getting from here to there is well beyond my cranial capacity, so I welcome any thoughts you (collectively) might have. We will all benefit.
David
