Great Idea - but they’ll need a lot more than TWO!

Boeing’s systems need to be capable of staving off hackers, and for more than two years, the company has been employed two cyber security specialists (“hackers”) to test the security of its computer systems. I like it, but there’s more that needs to be done.

Since most large organizations rely on a mix of COTS hardware, 3rd party software applications, communication technologies, and custom code to run their IT infrastructure, it’s difficult to apply a single security assessment solution to ensure adequate coverage and protection.  If organizations want to better understand where they are most vulnerable, they need to view their systems holistically.  This is, after all, how real-world hackers work - there is no "in scope" or "out of scope" and they can target any soft spot in the exterior.

Performing penetration tests and code reviews of selected software applications is a great best practice for data security, along with network penetration testing, but it tends to approach security from the inside out and doesn’t always follow chaining paths between vulnerable systems.  This makes it more difficult to understand with certainty which hardware and software applications are putting your organization at real risk of attack.

Organizations must secure thoroughly from within.  This means considering every avenue of attack and securing each layer and component as well as possible. How do you do this?  Internal (Red Teams) and external penetration testing. Red teams are internal resources that you deploy to attack an asset to determine if it’s vulnerable. When the development team thinks all risks and threats have been mitigated, it’s time to bring on the Red Team. The Red Team's job should be to find any way into the system possible. 

Put another way, think of it as product competition. Take the mobile phone industry for example:  it is up to each phone developer to create the best feature sets and the usability possible, but it's not impossible for the competition to think up something completely new, change the game and win. Each company must at once think of the current competitive landscape and imagine how the game may change completely if a competitor hits on “the next big thing.” Before the iPhone everybody was competing on the same features and the same understanding of usability. It wasn't until Apple ushered in this renaissance of the smartphone era that we could jar something as beautiful and usable as the Windows Phone 7.

In that way the development and test teams need to use every tool at their disposal (both manual and automated) to find and remediate every risk they can. Research all the current threats, attack types, etc, but never lose sight of thinking about the next thing that will utterly change the landscape of security regarding your application.

My final thoughts:

  • Boeing is a company of about 165,000 employees, with thousands of computer systems, tons of sensitive information, government and flight data that hackers would love to get their hands on. All this and they have two college kids securing their stuff? They need dozens more, whether they are internal or external.
  • The article quotes "Sims, 25, and Tam, 24, spend much of their days devising, revising and analyzing complicated security programs that they then attempt to crack." These two guys are in charge of building AND breaking security systems. This doesn't work (at least not well). I design a system to be resilient against the threats I know about – so by definition I cannot break it.
  •  It’s critical to get independent, expert eyes into the mix.  They have no conflict of interest and come in with a larger arsenal of attacks and a fresh mind to assess the system
  • The best (and often only) way to understand how an attacker views your IT systems/infrastructure and takes advantage of insecurities is to do the same.  Too few organizations employ this approach, which we feel is so integral to data security that we created a program to serve this specific need.