Football fans will remember that in July 2020, the theft of nearly £1m from a Premier League football club was narrowly avoided. Before that, in February 2020, a misconfigured application leaked information from the Brazilian ticketing company Futebol Card. The latest news about West Ham is hardly surprising. We will only see these headlines go away when all software deployments are done with security in mind. When organization of all types have a security-first mindset, we will no longer read sad stories about open databases or misconfigured applications. Problems will still happen, of course, but they will be less common. Let’s make life a little hard for the bad guys. Affected West Ham fans should be aware that their personal information might be available to bad people, and be skeptical of unsolicited calls and emails containing their information.

A website for COVID test results in West Bengal in India is apparently missing access control, such that anyone can view results for anyone else. Like most software, this application was probably built as quickly as possible with functionality being its only goal. We will stop seeing these kinds of headlines only when development teams include security at every phase of development. In this case, about ten minutes of threat modeling during the application’s design would have made obvious the danger of the scheme for referencing results. Designing a better access system would have added perhaps an hour or two to the development cycle. Like brushing your teeth or eating your vegetables, security needs to be a consistent habit with application development teams. For development teams, security is a habit that produces long-term positive results. Citizens whose information has been exposed are advised to be wary of unsolicited emails or telephone calls that have might include information such as address, age, and other personal details.

The Number:Jack vulnerabilities highlight the difficulty of random numbers. Many algorithms in computing, and especially in cryptography, require random numbers, which means numbers that cannot be predicted ahead of time. 

Unfortunately, computers are not good at being unpredictable. “Random” numbers in computers are almost always created by a pseudo-random number generator (PRNG), an algorithm that produces a deterministic sequence of numbers. The PRNG can be seeded with something truly random, usually some electrical or atomic process, which makes the pseudorandom sequence impossible to predict. Most devices, however, do not have the required hardware for such a truly seed. 

"Another problem is that developers sometimes don’t understand how important a truly random seed is and will use much more deterministic sources for the PRNG seed, such as the system clock. Problems like these are compounded in IoT devices, where an update process might be difficult or missing entirely. Consequently, weaknesses and vulnerabilities present in IoT devices often persist indefinitely and offer an attractive attack surface for attackers.

The Number:Jack vulnerabilities highlight the difficulty of random numbers. Many algorithms in computing, and especially in cryptography, require random numbers, which means numbers that cannot be predicted ahead of time. 

Unfortunately, computers are not good at being unpredictable. “Random” numbers in computers are almost always created by a pseudo-random number generator (PRNG), an algorithm that produces a deterministic sequence of numbers. The PRNG can be seeded with something truly random, usually some electrical or atomic process, which makes the pseudorandom sequence impossible to predict. Most devices, however, do not have the required hardware for such a truly seed. 

Another problem is that developers sometimes don’t understand how important a truly random seed is and will use much more deterministic sources for the PRNG seed, such as the system clock. Problems like these are compounded in IoT devices, where an update process might be difficult or missing entirely. Consequently, weaknesses and vulnerabilities present in IoT devices often persist indefinitely and offer an attractive attack surface for attackers.

Like every other critical infrastructure sector, healthcare is deeply dependent on software. From the tiniest devices to the largest medical record systems, software offers attackers an asymmetric advantage to damage the confidentiality, integrity, and availability of data and equipment. 

The recent rash of ransomware attacks should convince any healthcare organisation that a proactive approach to software security is not a luxury but a necessity. Organisations that wish to reduce risk use a software security initiative, which encompasses buying and configuring software products as well as how to respond to software security incidents. Even when an organisation is careful about purchasing products, configuring them, and deploying them in a network infrastructure, things will still go wrong. Having incident response plans means being able to respond quickly and effectively when problems arise. 

A big part of cybersecurity has to do with how software products are built in the first place. Following a secure development life cycle, where security is examined and tested at every phase of development, helps vendors create more secure, more reliable software products. Healthcare organisations that consume these products should demand such a process from their vendors and participate in standardization efforts to define acceptable development practices.

Recently, researchers discovered that the privilege escalation vulnerability CVE-2021-3156, also known as Baron Samedit, affects macOS, including the latest available version. By itself, a privilege escalation vulnerability might not be especially dangerous for most users. It could only be exploited if an attacker already has access to your computer, either locally or through a remote shell.

Chained together with one or more other exploits, however, the risk of CVE-2021-3156 could be multiplied. If an attacker exploits another vulnerability to run code as a regular user, then they can trivially run the exploit for CVE-2021-3156 to gain administrative access, allowing them to take complete control of your computer. macOS users are advised to apply updates from Apple as soon as the fix for CVE-2021-3156 is available. In the meantime, try to avoid risky situations. Keep your other software up to date, don’t click on dodgy links, don’t click on email attachments unless you’re confident about their origins, disable network services you are not using, and so forth.

Admitting that a problem exists is the first step in overcoming that problem. The World Economic Forum ranks cybersecurity failure as the fourth most pressing “clear and present danger” to the global economy. Managing cybersecurity requires organisations of all types and sizes to address cybersecurity directly. Organisations that use software (basically everyone) should put policies and processes in place to minimise risk and protect data. Organisations that build software must make security an integral part of their development efforts. The costs of managing cybersecurity today are a small price to pay in comparison with the mammoth costs of cybersecurity failures in the future.

Software is the critical infrastructure that supports organisations of all types. Cybersecurity is important for every organisation, whether they know it or not. 

The recent vulnerability found in the United Nations technology infrastructure shows just how easy it is to accidentally expose a large volume of sensitive data. Like any other organisation, the UN needs a top-down approach to cybersecurity, with defined policies for protecting assets and established processes for publishing software. 

In this case, the United Nations’ Vulnerability Disclosure Program worked exactly as it should; security researchers located a dangerous vulnerability and the United Nations was able to fix it to prevent any further exploitation. This is a good outcome, but a better path forward would be a proactive approach, in which processes would be put in place to prevent such a vulnerability from ever being exposed in the first place. 

A proactive, positive approach to cybersecurity is the best way for organisations to reduce risk and protect their assets.