International hacks, politics and knee-jerk cybersecurity - never a good mix

The FBI is now leading an investigation into a hack into the Democratic National Committee. This is the first acknowledgment from the agency that they are probing the incident, which US officials suspect came from a Russian cyberattack. The FBI said that the suspected Russian hack is part of a wave of Russian cyberattacks aimed at political organizations and academic think tanks in Washington. Over the weekend, Wikileaks began publishing emails from the DNC. The group didn't identify the source but Hillary Clinton’s campaign pointed the finger at Russia, saying the release of stolen emails was intended to help Republican nominee Donald Trump.

The FBI has sent experts to meet with the Republican National Committee, as well as the major campaigns, to discuss their security measures. No similar intrusions have so far been detected at the RNC or the campaigns of the two major party candidates.

Point-of-View by Jeff Williams:

Knee-jerk reaction to cyberattacks is not an effective way to protect valuable data

“The “attribution problem” makes it extremely difficult to accurately know who is responsible for an attack. Perhaps the Russians were hacked first by North Korea? Who knows. We will *never* know with certainty.  And that’s the problem…. Without certainty, there are no options for response. 

At the exact same time that every interesting effort is being turned into software, the attackers are becoming more organized, sophisticated, and creative. Yesterday it was about stealing money. Today it’s about influencing an election. Tomorrow, who knows? Maybe it’s about harming groups of people by attacking their healthcare, retail, or government, gaining a marketing advantage by using drones or crashing the electric grid. However, more than likely it will be something that isn’t obvious today.

It’s frustrating to watch this knee-jerk reaction to cyberattacks that focus exclusively on cyber response. We can do so much better at building software that is resilient to attacks. The government should be pushing software producers to create code that doesn’t have well-known obvious vulnerabilities. Like the items in the OWASP Top Ten that haven’t changed for the past 14 years. That’s an embarrassment. Why can’t organizations like the FTC strongly “encourage” organizations to at least follow some basic application security practices: training developers, threat modeling, automated verification, and runtime protection?  To me it is negligence to not put these practices in place when the exposure and damage is obviously foreseeable.”

~ Jeff Williams, CTO
Contrast Security Security

Developing and maintaining a robust application security program does not need to be a daunting task.

Perhaps, all it takes is rethinking your existing program and moving to one that leverages a continuous application security (CAS) approach. Organizations practicing CAS quickly determine how a new risk affects them, design a defense strategy, and measure their progress to 100% coverage. By implementing eight functions within an enterprise you can assemble an effective application security program.