​The week in security: CISOs missing breaches; will developers ever learn security?

As Joomla websites were being attacked en masse using recently patched exploits and owners of Belkin WeMo devices were advised to update before their devices were exploited in global zombie botnets, some were wondering whether developers will ever get better at writing secure code.

We are already in the era of Cybersecurity 2.0, Australia’s peak cybersecurity cop told CSO Australia. Efforts to more broadly educate developers on the requirements of ISO 27000 – whose creator spoke with CSO Australia about its progress as the most widely adopted security standards – may be meeting varied success but some worry that breach fatigue is taking its toll, with a flood of threat intelligence proving overwhelming for many firms.

One privacy advocate believes better privacy will be won as a side effect of maturing information security. That maturation is also being reflected in the considerable sums being poured into cybersecurity – including, most recently, a £1.9b ($A3b) investment by the UK government and a $10m investment by Optus Business in a Sydney-based security operations centre that reflects the growing use of partnerships to bolster security capabilities and the importance of a collaborative defence in effective security.

Artificial intelligence will be another key part of the industry’s maturation, with IBM deploying machine learning to bolster its online banking security program. Also important to evolving perceptions of security will be better developer understanding of the risks of non-conventional attack processes – raging from point-of-sale attacks to unencrypted pagers. And, for their part, researchers managed to build an undetectable rootkit for programmable logic controllers.

The annual AISA awards included a diversity category for the first time, while mobile security was under the spotlight as some wondered what would happen to the personal data on the millions of recalled Samsung Note 7s, and the head of BlackBerry’s security strategy told CSO Australia that success in the mobile security space would require firms to look far beyond mobile device management to offer more relevant, secure capabilities.

Education provider Federation Training explained how a business consolidation led to a security overhaul that helped it appreciate the size of its exposure to cybersecurity issues. And Gartner was advising businesses not to give up on DNS service providers despite the recent crippling Dyn DDoS attack. Indeed, your business is probably not much better, according to Accenture research that suggested information-security executives were missing three targeted attacks each month. The problem is so bad in Liberia, some reports noted, that the DDoS attack from Mirai malware is proving financially devastating for businesses in Liberia.

Google was cleaning its security house, first untrusting digital certificates from WoSign and StartCom and then releasing information on a Windows 10 zero-day after warning Microsoft that it would release the flaw after a certain time period expired. Microsoft called Google ‘irresponsible’ for the disclosure.

This, as attackers were probing customers on Google Cloud, AWS, and Microsoft Azure environments for weaknesses. Researchers warned that mobile subscriber identity numbers can be exposed over WiFi, while others noted that proactive attention to network deception – including spying on attackers probing hosts intentionally placed in harm’s way – had proven to be extremely effective in blocking ‘capture the flag’ style attacks by more than 50 security researchers.

Police around the world were cracking down on darknet marketplaces, while Cisco was moving to reduce the time that security compromises go unnoticed on endpoints. White-hat hackers may have a role to play here – if current laws can be updated to protect their activities and interests.

Tags botnetsoptusmicrosoft azuresecure codeGoogle cloud securityAWSGoogle Cloudthreat intelligenceBelkin WeMounencrypted metadatawosignCybersecurity 2.0

Show Comments