To better protect your data or source code, you must first understand the malicious actors trying to gain access. Hackers have no remorse and can readily run a few lines of code to probe or access your project. While these criminal activities are not new, cyber attacks have evolved and will continue to do so as DevSecOps also progresses.
In order to get ahead, you must know the facts about where hacker’s work, their business model, industry risks and the proactive measures needed to prevent breaches. Let’s take a deep dive into their world.
For those in the industry, the layers of the web are well known, but most recognize little of that hidden further below. Where does our personal information lie and where does the hacking occur? We break it down in the diagram below:
GOVERNMENT RESOURCES:
TCI, CIST, Azure Government
ONLINE BANKING:
Your personal banking info
PRIVATE RECORDS:
Financial & Medical Records
PAYMENT SYSTEMS:
PayPal, Stripe, Amazon Pay, Google Pay, Apple Pay & more
4
5
6
7
SOCIAL MEDIA:
Pinterest, Facebook, Instagram, Twitter & more
SEARCH ENGINES:
Google, BING, YouTube, Amazon & more
COMPANY WEBSITES:
Your company’s site developed on a web hosting service
1
2
3
CRYPTOCURRENCY:
Bitcoin, Ethereum & more
THE ONION ROUTER (TOR):
Free & open-source software for enabling anonymous communication – a place where hackers recruit, share information
HIDDEN WIKI:
Oldest link directories on the Dark Web
SILK ROAD:
Online Black Market – where your information is sold
STOLEN DATA, TRAFFICKING, & ILLEGAL ACTIVITIES:
A Hacker’s paradise!
8
9
10
11
12
Hackers stole over $4 billion in cryptocurrencies in 2021.
*businessinsider.com
If you guessed “money” as the ultimate goal of the hackers business model – then you’re right! Hackers can leverage your application to steal IP, Data or create a resource for additional fraud.
Increase Revenue
In terms of “increasing revenue,” data is equivalent to currency, the more data they obtain, the more money they can get, but this is a small portion of a much larger scheme. One large attack won’t suffice, they tend to automate their tactics or use additional help. Hackers, too – work smart not hard.
Time is Money
In the world of hacking “cutting cost” is essential. Let’s not be naive, there are kits for just about every kind of attack. Instead of inventing the wheel or doubling up on the work, hackers will use what others have already built. Another cost-cutting example is to utilize proxy servers. This allows attackers to temporarily store the data that is being retrieved. Last but not least, hackers love to use Remote Desktop Services (RDP) sessions or isolate a central processing unit (CPU) to maximize their attack.
Proactive Measures
Knowing where you’re vulnerable is crucial when it comes to your personal or business data. To stay on top of your security posture, the best thing to do is educate yourself and your team about the behaviors of hackers. Study their business model, understanding this will allow your IT department to focus their controls on the problem, rather than on the symptom. Educate your teams on how they attack. If you understand their methods, you can be proactive, applying security throughout the SDLC to give your team the power to prevent risk.
This is where it gets interesting, we’ve broken the process down to how hackers operate. They use the Deep Web to navigate and leverage other forms of hacking all while your data & IP is not secured.
1
2
3
4
Using a proper VPn or VPS
Route the traffic through the TOR (The Onion Router) network
Use a proxy service
Buy an “RDP session” to attack
Use infected machines of other victims to run attack!
Destroying or corrupting any logs
Sell your data on Silk Road for money or cryptocurrencies
5
6
7
Companies that do not have DevSecOps in place end up losing a lot more than they bargained. Last year saw the highest average cost of a data breach in 17 years, with the cost rising from $3.86 million to $4.24 million on an annual basis.
*IBM Cost of a Data Breach Report 2021
Each industry has specific risks. For example; software vendors, financial service providers, telecommunications companies, industrial manufacturers and other businesses rely on applications to generate revenue, assure business continuity and contain unique intellectual property. Businesses of all types have risks associated with their divisions and recognizing all of them is a full time job. But, we can’t all afford to hire security researchers, proactive approaches are based on recognizing the key challenges and building security around them.
If your company’s security systems aren’t up to the standard, then the risks of a breach are far greater, not discovering a breach costs you money, for every week a risk is in a deployed app your customer data is accessible, IP available and runtime performance at risk.
Banking & Finance
$5.72 Million
IT Organizations
$ 4.88 Million
Telecommunications
$ 3.62 Million
Small Business
$1.93 Million
Industrial
$4.24 Million
Hospitality
$3.03 Million
Healthcare
$9.23 Million
Government
$13.7 Billion
Education
$3.97 Million
The average annualized cost for cybercrime in the financial services industry is approximately $20 Million with the average for all industries being $13 Million. Each year technology changes and with that so do unforeseen challenges, for instance, prior to pandemic industry risks were far less than they are today with remote working. Now that sensitive data can be accessed anywhere at any given time, attacks have tripled in the past three years thus shifting each industry’s security standards. If you know your industry’s risk, you know what to look out for.
To read more on your industry’s risk, visit our eBooks page. We give you up-to-date industry research, perspectives and data to help you improve your application security approach.
* 2022 IBM Report
A total of 82% of organizations have admitted to increasing their cybersecurity budgets over the past year, with these funds accounting for up to 15% of total IT spending.
*IBM Cost of a Data Breach Report 2021
Allocations for security tools are crucial for all types of business when developing for their fiscal budget.
According to Cisco, 50% of large enterprises (with over 10,000 employees) are spending $1 million or more annually on security, with 43% spending $250,000 to $999,999, and just 7% spending under $250,000. Larger corporations have the budgets, but it is the smaller businesses that tend to overlook or not invest in security.
By not investing in any type of cyber security, this exposes each business to the core. Reputation, loss of income, fines and sensitive data leaks are just a few examples of what a company will face during a breach. It is better to be proactive than reactive.
Secure application development process is very crucial throughout every stage, but what is secure application development and how can this help protect you?
Secure application development means integrating security into every stage of development, including:
• Security requirements in the planning phase
• Security-focused code reviews during development
• Penetration testing during integration/acceptance testing
See diagram:
Static Application Security Testing and Security Code Analysis tools are highly recommended to better protect your code and data. SAST typically takes place early in the software development life cycle, explained in the above diagram. It immediately assists developers in finding vulnerabilities in the initial stages of development and resolve quality issues without breaking builds or letting vulnerabilities sneak into deployed applications.
SCA automates the entire process of managing open source components, including selection, alerting on any security or compliance issues, or even blocking them from the code. It also provides comprehensive information about the open source vulnerabilities discovered so that you can easily fix them. SCA tools can be used throughout the SDLC, from creation to post-production, shown above.
These two key elements are needed to help every industry catch vulnerabilities. Scanning your code or any application is crucial to know where hackers can enter and mitigating these gaps. No one wants to become another statistic or endure the consequences of cutting your security budgets. It’s better to spend and protect your company rather than double your losses.
82%