Things to Consider In Order Avoid A Krishflyer Kind Catastrophe
In the wake of the Singapore Airlines’ Krisflyer cross-customer data leaks, the city-state of Singapore is strictly expecting companies that data handling of customer information will be secured by-default. There were news of some companies operating in Singapore that offers security features on top of basic service for a fee, which Singapore government is highly discouraging private companies to practice within its borders.
It is a bad practice for organizations to charge their customers extra for better security features of their products and/or services. Such ‘habit’ can bring-up IT security issues equal if not more severe than the Krisflyer security breach, where their customers were able to get a hold of information of other customers. SIA’s most frequent flyers are exposed to risks that the company has not openly discussed, as such one-type bug should have been quashed during an internal testing procedure.
Software bugs are very common, many of which are security risks, to a point more and more companies are enlisting volunteers through a generous bounty program to hunt down the bugs. Such bounty programs are established by big names such as Google, Microsoft, Facebook and other tech giants and leaders of industries in order to gain the insight of the public and let them help debug their apps.
“When building the application, it is most likely there were some basic flaws in the design of how authentication is performed to determine who can access what data,” explained by Nabil Hannan of Synopsys, a software security consulting firm.
Any app needs to implement an effective development-cycle which can be used to make hunting for bugs easier for internal developers. This includes regular audit procedures and updating of security protocols/checks, for both the pre-released code and all the tools used for development.
Companies need to stop ‘best effort’ approach to IT security, but to provide serious funding for a reliable cybersecurity defense infrastructure for the organization, its employees and their clients. In the case of Singapore Airlines, the lack of vision when it comes to auditing their systems was the cause of the negligence-driven problem with Krisflyer which they are currently facing today.
Critical systems such as Airline-software require a development process totally oriented to guarantee the quality of the final product. Where improvisations or changes in specifications at the last minute are not valid. Everything has to be tested and verified so there is no possibility of error. The result has a level of quality far superior than a typical customer is accustomed to at the user level, but as is to be expected, though at a much higher cost, a higher cost which is worth every penny.
“Airlines need to model their security endeavours around the hundreds of thousands of customers who trust them to protect the private information they are required to share in order to fly. This means protecting all potential points of entry, including APIs, network connections, mobile apps, websites, and databases.” emphasized Setu Kulkarni, VP of WhiteHat Security, a cybersecurity consulting firm.