Doing it for the LULZ?

June 21, 2011 at 4:38 pm | Posted in Certification Paths, Cisco, CompTIA, Technical Tips | 2 Comments
Tags: , , , , , , , , ,

Recently, Citibank announced that hackers stole personal information from about 200,000 credit card customers. Over the past year, a number of high profile companies have been attacked, including Sony being hacked for the sixth time. As cyberattacks are reportedly on the rise, the FBI, Commerce Department, and Attorney General are calling for increased cyber-security actions in the U.S.

This frenetic response may seem overwhelming to some outside observers, but to security experts in the IT industry who have decried “lax security policies at high-profile organizations,” this situation comes as no surprise. The sheer frustration that many in the security community have felt for years seems to be  finding its outlet at last.

Case in point: LulzSec – the now-infamous hacker group responsible for breaching Sony, Nintendo, PBS, Fox, and the FBI. They targeted Fox because they didn’t like them, PBS because of a FRONTLINE story, the FBI because of their attitude on hacking, and Nintendo and Sony just for fun. When a small security firm out of Nebraska posted a hacking contest for $10,000, LulzSec altered the home page and added this text:

DONE, THAT WAS EASY. KEEP YOUR MONEY WE DO IT FOR THE LULZ

LulzSec hacks Black & Berg Cybersecurity Consulting

LulzSec hacks Black & Berg Cybersecurity Consulting

LulzSec has nearly 100,000 Twitter followers. Why the popularity among security professionals? Because despite their hackish high-jinx, some feel their efforts are raising much-needed awareness for the need for security improvements. Although new technology innovations requires evolving security practices, the fundamentals still revolve around common sense. Despite this, most companies are not taking “security seriously.” Patrick Gray on Risky.biz describes the desperation this way (edited for our more sensitive blog audience):

So for the last ten years I’ve been working in media, trying to raise awareness of the idea that maybe, just maybe, using insecure computers to hold your secrets, conduct your commerce, and run your infrastructure is a [shoddy] idea.

No one who mattered listened. Executives think it’s FUD. They honestly think that if they keep paying their annual AV subscriptions they’ll be shielded by Mr. Norton’s magic cloak.

Rather than implement security mechanisms within the business, companies are increasingly ignoring the possible threats (“not my problem!”), following outdated and inappropriate security practices (“why change when we can stay the same?”) or  trusting outside consultants to protect them (“let them worry about it!”). This leads them down an accountability chain that ends nowhere fast.

Many IT companies, including  Microsoft, Cisco and even the often-maligned Facebook,  provide documentation for best security practices. Certification vendors like CompTIA, (ISC)2 and Cisco actually offer specific security-related certifications (Security+, Linux+Server+CISSP and CCNA Security). So there is little excuse for companies to plead ignorance when their network is breached.

It stands to reason that many high-profile companies will be investing more in security now than ever before. Sounds like the ideal time to add some security skills to your resume.

UPDATE:

Although their havoc left a lasting impression in the security world, LulzSec has officially disbanded with the following sign-off:

While we are responsible for everything that The Lulz Boat is, we are not tied to this identity permanently. Behind this jolly visage of rainbows and top hats, we are people.

2 Comments »

RSS feed for comments on this post. TrackBack URI

  1. “Certification vendors like CompTIA, (ISC)2 and Cisco actually offer specific security-related certifications (Security+, Linux+, Server+, CISSP and CCNA Security).”

    Used to work in the IT training industry for vendor certified training, I don’t know if things have changed, but those didn’t address the mindset of pc users in general, or the IT guys in making their networks secure. In our organisation we explored some of the white hacking courses for the general user – and the Ethical hacking courses for the IT.

    • Actually, the mindset of PC users and IT guys is exactly what these exams address! You can download Transcender demos of these exams to see for yourself. Most other certification exams these days also feature best security practices.

      Having said that, I am a big proponent of ethical hacking courses. I have attended and taught a few myself. Unfortunately, the real decision-makers have little interest in either certification or ethical hacking until after an intrusion.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com. | The Pool Theme.
Entries and comments feeds.

Follow

Get every new post delivered to your Inbox.

Join 77 other followers

%d bloggers like this: