The world first caught wind of a massive breach linked to cyber firm SolarWinds last December. The breach was unique not only in its scale, but also in its method of attack. Hackers targeted the very first stop of the entire cyber line of defense: the cybersecurity software.
One surprising factor was the scale of these attacks, say Abhik Roychoudhury, Provost’s Chair Professor at the National University of Singapore’s Department of Computer Science, and Liang Zhenkai, who is Associate Professor at the same department.
First, we need to rethink what makes ‘trustworthy’ software, say Roychoudhury and Liang. “Think of this as extra vigilance – why trust software because it comes from a trusted supplier?” they add. The second lesson is to prioritise application security, which means making services that run on individual devices more secure. Every device – be it a mobile phone, laptop or IoT sensor – that connects to an organisation’s central network presents an opportunity for attackers to strike. The bad news is that software for these devices are “most fragile (and poorly written), allowing attackers easy access,” Roychoudhury and Liang note.