Every industry has its game-changers and the information security industry is no exception. Nearly every month we hear about a new attack or vulnerability which sends the media into frenzy.
The biggest game-changer, not just for Information Security but for the technology industry as a whole, was the adoption of the internet as an integral part of everyday work life.
The term “game changer” is defined as, “a person, an idea or an event that completely changes the way a situation develops”.
We take a look at some of the key game-changers of the last decade which have led to shifts in how users and organisations approach information security. What follows is by no means an exhaustive list. There are simply too many events which have shaped the industry to cram into one article.
Wireless and hating it
The concept of WLANs sounded almost too good to be true when it was first introduced. Having multiple PCs connected and sharing resources and data without wires and cables connecting them was every network administrator’s dream come true.
Unfortunately, the dream soon started turning into a nightmare as it was realised that the initial wireless protocol 802.11b simply did not provide sufficient security and could be broken through with minimum effort. The infamous WEP protocol provided hardly any security.
Wireless protocols have significantly matured now with proper authentication controls and standards present, but security professionals will not soon forget the chaos these networks caused upon their connection to the corporate world.
Security: standardised and certified
Standards and certifications for information security have existed for decades, but they were not relevant to the public domain. The internet explosion made everyone realise that they needed dedicated information security professionals who could secure their networks and PCs.
Such a skill-set was in short supply.
They also realised early on that network engineers responsible for firewalls and routers did not possess the skills required for information security, and turned to professionals with certifications such as CISA or CISSP on their resumes.
Such individuals are common now, but a decade ago certified security professionals had companies literally knocking down their doors with offers.
Similarly, the need for tried-and-tested best practices led to the widespread adoption of security standards and frameworks like ISO 27001 and PCI-DSS. Instead of trying to come up with a framework for implementing information security from scratch, organisations relied on these proven best practices for securing their networks.
Nowadays no serious professional can go far without having some form of security certification or experience with standards on his or her CV, and they have gone a long way in giving credibility to the security profession.
Application security woes
The days when you could simply install a firewall and think that your network was properly secured vanished when attackers discovered just how many loopholes were present in web applications.
Attackers started having a field day when they found that instead of having to hack through a firewall, they could be let in like guests via the good old port 80 (HTTP traffic) which had to be open for web traffic.
This realisation coupled with the fact that most security professionals have insufficient coding skills for checking application security, resulted in a massive surge of application level hacks across the globe. At one point, web application vulnerabilities like SQL injection and Cross Site Scripting (XSS) accounted for nearly all the major vulnerabilities that were being discovered globally.
The promise of the Internet at your fingertips (literally) was finally realised when smartphones became commonly available.
Security professionals had barely managed to secure a company’s PCs and servers when suddenly employees were bringing devices in their pockets which were equivalent to mini-laptops – with a tremendous potential for data leakage.
Although companies managed to put polices in place disallowing personal smartphones and giving out corporate BlackBerries, the new trend of Bring Your Own Device (BYOD), in which managers and employees want to use their iPads or iPhones for doing office tasks, is posing a new problem.
New technologies like Near Field Communications (NFC), where your smartphone effectively becomes a credit card, are also opening up opportunities for cyber criminals to start virtual pick-pocketing.
Like it or not, smartphones have effectively destroyed the concept of the security perimeter or the castle mentality, which security professionals used to rely on.
The rise of social networks such as Facebook and Twitter in the last few years has proven to be yet another headache to manage. Security professionals had to deal with employees who felt obligated to reveal corporate strategies and secrets to their entire social circle.
The amount of data leakage and bad press that companies experienced via social networks was significant enough for everyone to start taking notice.
This was a security issue that revolved around managing peoples’ behaviours rather than technology, which is why most companies have become smart enough to put social networking policies in place that educate staff as to what is or is not advisable to share.
Nowadays a simple tweet or status update is enough to drive a company’s reputation to the ground.
Malware gets mean
The whole malware family, such as viruses, worms, root kits etcetera, has been a constant irritant to security professionals since the advent of worms like Blaster and Slammer.
However, the last couple of years have seen malware take on a far more sinister form, greatly changing how we look at information security.
The rise of weaponised malware like Stuxnet and espionage toolkits like Flame, have resulted in a full-on cyber-arms race between nation states and hacktivists, each trying to get their hands on this new cyber-weapon, and security professionals getting caught in the middle.
The recent attacks on Saudi Aramco and Ras Gas show that no company is safe from these attacks and malware is the preferred weapon of choice.
As mentioned earlier, this article can hardly do justice to the numerous events and technologies that have helped shape information security into the form we now see it today. One label that the information security industry can never be tagged with is that of being “boring”.
Who knows what game-changers are in store for us in just the last quarter of the year 2012?