Digital Security by Design

At the start of this week, it came to light that The Federal Bureau of Investigation’s email servers were hacked to distribute spam emails impersonating FBI warnings. These emails purported that the recipients’ network was breached, and data was stolen. The hackers sent out tens of thousands of emails from an FBI email account warning about a possible cyberattack, according to the Spamhaus Project, which tracks spam and related cyber threats. The FBI said it, along with the Cybersecurity and Infrastructure Security Agency, is “aware of the incident this morning involving fake emails from an @ic.fbi.gov email account.”

Commenting on this, John Goodacre, director Digital Security by Design and Professor of Computer Architectures at Manchester University, said “Governments and private individuals all use or interact with many digital systems. Whether through misconfiguration or errors in the software, such systems are vulnerable to cyber-attack, ransom, and data loss. Although system manufacturers and those configuring a system are increasingly aware of security by default principles, there is a persistent 70% of reported software vulnerabilities that can lead to exploitation by cyber criminals. The UK government has an initiative with industry called Digital Security by Design that aims to block this significant class of vulnerability from being exploited through a fundamental change in the underpinnings of the underlying hardware.”

A piece of research that caught our eye this week was released by Synopsys. Amassing data from just under 4,000 security tests on over 2,500 systems and pieces of software, the research discovered that as many as 97% possessed some form of vulnerability. Out of this 97%, over a third (36%) were classed as high or critical risk. Other findings from Synopsys’ ‘2021 Software Vulnerability Snapshot’ report included:

• The Top 10 vulnerabilities identified by the Open Web Application Security Project (OWASP) were found in 76% of the targets assessed. This includes ‘information disclosure/leakage’ (19%) and ‘server misconfiguration’ (18%).
• Eighty percent of vulnerabilities found in mobile tests were tied to insecure data storage, meaning a bad actor could gain access to a mobile device either physically through theft or through malware.
• Content-Security-Policy Headers, which ensures that resources from an untrusted source do not load on a website, was missing on 52% of the targets, making it the top vulnerability discovered.

Discussing the research findings, John said “The Mitre CVE list has been used for many years to report vulnerabilities of which 70% are related to memory safety issues. Many of which are in the top 25. The UK Government has an initiative called Digital Security by Design which is working across industry and academia to block this significant class of vulnerability from being exploited through a fundamental change in the underpinnings of the underlying hardware.”

You can follow updates @DSbDTech or via LinkedIn here  #DSbDtech

Follow Innovate UK

Twitter @innovateuk

Innovate UK on Linkedin

You can find out more about the Industrial Strategy Challenge Fund here