Global security breaches are now an 'epidemic': report

Global security breaches are now an 'epidemic': report

Summary: According to one security expert, global security breaches are now comparable to an "epidemic" -- and immediate action must be taken.

TOPICS: Security
hacking cyber security epidemic levels training sans

The rising number of security breaches and high-profile cyberattacks have reached "epidemic" stages, according to security researchers.

Do coders learn security practices and methods to thwart hackers too late to be effective? Security instructor from the SANS Institute Pieter Danhieux argues that this is the case, which has resulted in security staff being unprepared for the rising onslaught of hacking and security breaches worldwide.

The security instructor argues that current teaching methods in application design and programming needs to undergo some rapid changes to try and contain the cyberattack "epidemic," as students are often not given enough thorough grounding in secure design processes at early stages in security courses.

Danhieux commented:

"Programming students will typically attend a single module on security during a course and it often comes in the later part of the educational cycle. The result is often a class of very talented developers but they don't think with security in mind."

In his opinion, this has led to "poor" security practices, especially in relation to building applications that have buffer-overflow and SQL injection vulnerabilities -- something widely exploited by hackers across the globe, including hacking collective Anonymous. Danhieux also points out that these system flaws were the most fundamental mistakes made by coders ten years ago, and are still the most common issues found today.

"But you can't just say it's just down to insecure program design,” he notes, "the bigger problem is still due to insecure passwords, over privileged users and poorly patched systems."

Perhaps unsurprising, considering how many people use qwerty-based passwords, phrases including "ninja" and "jesus" or fail to properly lock their mobile devices.

It may only be high-profile security breaches, such as HSBC's experience with DoS attacks and hacktivist groups that target university websites which generally make the news, but a number of incidents go unreported every year -- which is why teaching the next generation of security professionals how to keep up-to-date with the latest exploits is now so crucial. The security researcher stated:

"The U.S. is one of the only countries with a well-developed disclosure culture around security breaches. So the assumption might be that there are relatively few incidents and that America is the epicentre -- I can tell you for a fact that the scale of the attacks is at epidemic proportions and it is organised, well-funded and global."

Image credit: Don Hankins

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • round and round...

    "keeping up with patches" is always reactionary, and can never fix the core of the problem:

    1. design failures - which means that you can't really fix the security problem in first place.
    2. bugs - very common and basic bugs are relatively easy to fix, but multiplied by design failures, which are not.

    And many of the design failures are caused by using advanced program development suites that are not aimed at the application problem domain. Basically, improperly using the suite for things it wasn't designed to do (if you only understand a hammer, everything is a nail).
    • Its the Wintel Design

      It’s easy to blame the programmers for the security issues. The reality it has a lot to do with the Compilers and Intel processor design.
      The fault is “inline coding” in which the program code and data reside in the same memory segments. This leads to buffer overruns which in turn is the most common security exploit that requires a patch. In the early days it was faster to use inline code rather than separate data and code segments. The advantage of a data segment is when you exceeded the segment size it wraps around to the beginning of the data segment instead of overwriting code that is in the memory following the data segment.
      Over time both compliers and Intel processors have been tweaked to improve inline code performance. Often today the buffer overrun is due to the way the compiler operates than an issue with the programmer.
      With today’s multi-core, multi-Pipeline, and heavily cached processor designs; designing dedicated data segment pipelines and caches, plus retweaking the compliers would eliminate most if not all of the performance issues.
      No matter what security features are built into motherboards, file systems or Operating systems, buffer overruns will defeat them all. Sooner or later the Wintel community will have to address inline coding.
  • Don't get me started . . .

    "especially in relation to building applications that have buffer-overflow and SQL injection vulnerabilities"

    Don't get me started.

    1) OSes, hardware, and compilers need to do more to stop this from being a problem, period. We need to start solving this at an architectural level.

    2) The SQL language itself needs to stop allowing injections. I'm sorry, but it has to happen. I pin SQL injection problems squarely on the designers of the language. SQL needs to be secure by default, not insecure by default.

    "Programming students . . ."

    Stop right there.

    Because not everybody who programs is a programming student.

    There are a LOT of hobbyists who just pulled some books off the shelf. And yes, some of them are actually selling software.

    We've got a long, painful road to make things more secure - and it's not gonna be solved with a few security classes at the universities.
    • #blackhackers

      If your hurry you better get something to eat.., I'm gone to eat
  • Global security breaches are now an 'epidemic': report

    as long as software is soft and malleable, the threat can not be expunge but only mitigated with proper engineering of hardware and software ...
  • Security practices have little to do with it

    Imagine a world where systematically criminals brazenly and regularly check to see if you leave a window or door unlocked, even for a minute, that you are using a weak lock for your bike , or if your pocket was easy to pick, and so on so the slightest lapse on your part would lead to theft. That's basically the computer world these days. Now imagine that your doors and windows were not very strong and that your locks needed regular maintenance -- that's basically the state of software these days thanks to unmanageable bloated and poor coding, no cohesive and easy to implement security standards, and users and small business people completely left in the dark about what to do. Windows is a nightmare for security thanks to its complexity and poor design, but it's hardly alone in this regards (looking at you, Adobe.) Best practices mean very little when the hacker and virus writer's best friends are Windows and commonly used software.