The unfortunate breaches of information security defences during 2013 confirm, amongst other things, that IT security professionals will be in demand for a long time to come. According to a government survey, some 93 per cent of large UK businesses suffered a cyber-security breach during 2013. These breaches cost the affected companies anything between £450,000 and £850,000 per attack.
Moreover, the behemoths of the digital age were not left untouched by the scourge of cybercrime over the course of last year. Apple took a hit last February, when its corporate servers were breached via employee computers. The machines were afflicted by malicious code, which exploited a Java vulnerability, when they were logged into a developer website. Apple acted quickly to patch the breach, but the attack had already succeeded in a way by making an undeniable point – no business, whatever its scale, is immune from IT security breaches.
Twitter and Facebook also suffered security blips during 2013. According to one report, Twitter:
“[…] found that the usernames, email addresses, session tokens and encrypted versions of passwords for 250,000 users were potentially placed at risk.”
Facebook , meanwhile, got itself caught up in a bug related, ironically, to the “White Hat” tool it gave users for reporting security concerns or suspicions. Consequently, the email addresses of around six million users were exposed.
Learning points for the Information Security Industry
The IT security industry can, however, learn from last year’s rash of security breaches.
One clear lesson is that the no-man’s land between technological wizardry and human fallibility is still the cybercrime battleground. The attacks involving password hacks last year, for instance, would have been at least impeded if users had created more secure passwords in the first place. This is, of course, easier said than done. Even so, there is no harm in continuing to promote (relatively) secure password creation, as well as other measures such as two-stage authentication and fingerprint authentication, which bypasses the need for passwords altogether.
Second, a lot depends on the quality of the personnel hired by corporations. For instance, those recruiting for penetration tester jobs need to hire staff with a combination of the highest technical skills, native cunning, and the ability to spot needles in haystacks before the enemy does. The ability to get on well with others in the company is also crucial, since a powerful pen test can often originate from an off the cuff watercooler conversation.
Finally, we can conclude from last year’s breaches that today’s information security jobs cry out for a holistic approach, underpinned with a vast range of knowledge in specific areas. These attacks were different from each other in nature, some exploiting Java, others exploiting a Zero Day vulnerability. It’s essential for today’s security professionals to have eyes in the backs of their heads, or to ensure they have high-calibre people on their team who can keep them up to speed. After all, whilst cyber criminals are undeniably ingenious and super-adaptable to technological change and fashions, there is nothing stopping their corporate opponents being even more so.
[su_box title=”About Ryan Farmer” style=”noise” box_color=”#336588″]
Ryan Farmer has worked at Acumin for the past five and a half years as a Senior Consultant and now a Senior Resourcer. With a strong understanding of the InfoSecurity industry and the latest market developments, Ryan sources leading information security candidates for some of the world’s largest End User security teams, start up security vendors and global consultancies.Ryan is heavily involved in the Risk and Network Threat forum, has a keen interest in Mobile Security and is an active blogger and InfoSec writer.[/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.