Follow me, if you will, on a journey back in time to just one year ago. As 2013 turned into 2014, the information security industry was buzzing about the latest spate of breaches. Target had ushered in a new era of retail security breaches, with 40 million card numbers lost to the hackers. Little did we know at the time that this was just the beginning, and small potatoes in comparison to what was to come. One year ago, Neiman Marcus and Michaels had joined Target, and <a href="http://www.computerworld.com/article/2487265/security0/security-manager-s-journal--cyberattacks-just-got-personal.html">I wrote in response to the growing number of breach disclosures</a> that "in fact, I have to wonder which retailers have <em>not</em> suffered breaches. The word on the street is that at least a half-dozen other retailers were compromised in the past few months, without publicity." Sadly, this turned out to be true. I hate being right all the time.
Over the last couple of weeks, I have read numerous news stories about the widely publicized security breaches at <a href="http://www.computerworld.com/article/2860745/it-security-in-2015-were-now-at-war.html">Sony</a> and <a href="http://www.computerworld.com/article/2691246/jpmorgan-chase-says-breach-affected-83m-customers.html">JPMorgan Chase</a>. It seems as if everybody is a Monday-morning quarterback, with every other reporter voicing an opinion on how these breaches should have been prevented. In particular, I read two articles that specifically blamed the information security organizations at those companies for failing to properly stop the attackers. That's not fair.
Last week, I went to a project meeting so I could provide security insights as some consulting software developers updated us on the customer-facing application they're building for us. But I was dumbfounded when they asked me, "How should we encrypt the passwords?" Will developers never learn?
At the moment I'm a bit of a security grouch. I keep seeing product after product that has significant vulnerabilities. And this isn't just happening with the things I deal with at work. Even Election Day had me grousing about the state of our software security.
I was Shellshocked last week.
Is there a reason that data breaches have been happening at a rapid clip lately? And is there more that we, as <a href="http://www.computerworld.com/article/2487265/security0/security-manager-s-journal--cyberattacks-just-got-personal.html">security managers, should be doing to make sure that our own companies don't join the ranks of the breached</a>?