Computerworld

No CSO? Hire one now, advises security expert

Data rich corporations with weak IT security departments are just asking for trouble says M86
M86 Security vice-president, Jeremy Hulse

M86 Security vice-president, Jeremy Hulse

Enterprises without a chief security officer or a beefed up security department will be left wide open as hackers use new exploits to strike, warns a security industry expert.

M86 Security vice-president, Jeremy Hulse, told CSO Australia that the reason gaming companies, such as Sega, from which hackers stole personal data of 1.29 million customers over the weekend, had been hit was because of new exploits and malware on legitimate websites that security staff may not be aware of.

"Upwards of 80 to 90 per cent of good websites can host malware and that can be from a period of 20 minutes to 24 hours, but they [hackers] generally don't leave it up for a long period of time," Hulse said.

"All it takes is for someone from Sega or another company to access the website and download the exploit to their internal network."

"For Sony not to have a chief security officer [before the attacks occurred] is quite a startling revelation," Hulse said. He added that M86 had recently come across a large amount of malware that was not caught by signature databases. "From our own studies with customers, the traditional signature based security is not working and they have some exploit that may not have been discovered [by security staff] yet."

Read more about security in CIO’s 2011 Global State of Information Security Survey.

This meant the chief security officer had to be prepared to deal with unknown threats and invest in new security technologies. "People think they're safe but the hackers are saying, 'No, you're not safe' and they are proving it," said Hulse. "Every time someone in security closes a door the hackers are going to be looking for another."

He added that Cloud service providers also needed to "step up" and inform customers what security measures they could offer before data was hosted in a public or private Cloud.

"The message to Cloud providers is that there needs to be an extra level of diligence. You can't apply traditional security to Cloud services, it's a different game."

He advised enterprises considering hosting data in the Cloud to quiz their provider about data encryption and find out if the data would be hosted onshore or offshore.

Got a security tip-off? Contact Hamish Barwick at hamish_barwick at idg.com.au

Follow Hamish Barwick on Twitter: @HamishBarwick