Andrey Shagalov, IT Company Top Manager, “The Problem of User Carelessness is Far from Having Disappeared”
The main conference of the year in Russia dedicated to the latest trends in the development of cybercrime technologies and data protection has completed its work in Moscow. Traditionally, the forum discussed the most important problems of the IT industry related to the security of software and hardware solutions. Andrey Shagalov, a forum participant and Director of Quality Assurance at Artezio, told us about new threats and standards for safe development.
Q: Information security events and conferences are held every year by dozens of organizations and government agencies. Is there any impact from such a large and lengthy discussion of data protection issues?
A: The solution to the problem of data protection lies not only on software developers, but also on users. Therefore, the wider the information coverage is, the more often data leakage problems and the consequences are discussed, then the more effectively tasks are solved. We can say that some dangerous vulnerabilities that were previously considered critical now simply do not exist. And it is due to the awareness and technological development of software and hardware devices. For example, not so long ago bank viruses Trojans were “popular” that “stole” money from user cards, now they are disappearing both in Russia and in the world. Besides, protection in operating systems for desktop and mobile devices has been increased. But it’s too early to feel safe because new tools for hacker attacks are being replaced by new ones, and this is an evolutionary process. Now this is much talked about including at the recent conference. If earlier the main loophole for hackers was malware distributed in spam, then the next attack site judging by the trends will be network equipment, routers, especially home ones, which have not been updated for years and have, as a rule, outdated basic software. Do not forget about the possibility of access to the company’s network through employees’ home equipment who more often work remotely.
Q: But does the problem with users’ education still remain?
A: Yes, despite the increased protection of software and devices, the problem of user carelessness remains. People are learning, but there is still no universal understanding of the importance of data security issues. Many people are still ready to thoughtlessly open the attachment in a letter from an unfamiliar sender or upload a questionable file.
Q: Should software developers take into account the appearance of new tools for hackers to attack networks and get data?
A: In a world where even small devices are connected to the global network and where information is one of the main resources in software development, it is very important to devote a special place to data security. There are standards that describe the process of creating secure software, regulate the use of various schemes and techniques, and the best practices of writing a code. Modern development, as a rule, is built on the basis of ready-made frameworks, the security issue in which has been worked out over the years of practice, and yet, every month, new vulnerabilities are discovered not only in software, but also in hardware. We are talking about published vulnerabilities, and in fact, there are vulnerabilities known to hackers, but not yet accessible to the public. Companies that specialize in information security issues, such as Group-IB, claim that the level of software security is far from ideal. For example, over 80 percent of web resources requiring authentication have at least one critical vulnerability. The reason may be not a timely updated framework due to the lack of service support for the already developed application, errors made by system administrators, and bad solutions of developers. By the way, not all applications in the world are created by professional developers. Another thing is that not always a customer of a particular solution focuses on data security and is willing to spend money on creating serious protection. This is true when we talk about custom software development, where developers implement customer solutions who place special requirements for the product creation process and results.
Q: Are customers of software companies ready to save on data security?
A: It is unlikely that there will be a client who will say, “do as you like, I don’t care”. We work with large corporate customers for whom data protection is critical. In case of security problems, the damage may amount to astronomical amounts, not to mention reputational risks. Any bank or large company has its own information security policy. At the same time, everything should be logical, thought out and ideally designed in advance. Even at the stage of developing requirements, it is necessary to understand what information should be protected, how critical the leakage of various types of data is. Based on this knowledge, it is necessary to refine the enterprise security policy, infrastructure architecture, and software architecture. Part of the corporate data may well be public – for example, no one hides addresses of their shops or ATMs. Does it make sense to spend money on developing a special protected application for storing such data, if users are completely satisfied with an excel spreadsheet in the public domain? In general, no, it is quite possible to save. But the same information, published before the opening of the store and falling into the hands of competitors, can cause financial damage to the retailer.
Q: And what if the customer does not insist on the security?
A: Developers must pay attention to the need for such protection, if it is seen as a critical part of the project. There are world best practices in software development, including security, and the team should have very good reasons for retreating from them. For example, the transition to a new version of the platform is often associated with additional costs, which are rarely included in their budgets. At the same time, bringing the customer unpleasant news about the need for such a transition (if we are sure of this need), about the risks to which he is exposed is part of our work.
Q: Does everyone understand the risks?
A: If we talk about business – almost all large companies have already experienced data leakage, so yes. For a business, the risk of losing information faces financial and reputational costs. Users can still neglect their security, but businesses risk money and their position in the market each time. In addition, we should not forget that work is also going on at the legislative level, establishing responsibility for the negligence of personal data and secret information.
Q: Does it make sense to introduce new standards for developers who take into account requirements for data security?
A: The best practices of safe programming have existed for many years, and developers adhere to them. Especially when it comes to creating solutions for organizations that work with sensitive information. These can be banks, government organizations and commercial companies. It is even possible to standardize business processes to develop secure solutions in accordance with international or state requirements. This is true for developers who specialize in the release of secure solutions. Of course, these practices and standards need to be developed. However, it is important to understand that development is usually based on existing software solutions and tools. And the security of decisions depends largely on whether the operating system is protected, whether it is possible to penetrate the enterprise network through infrastructure weaknesses, such as outdated network equipment.