Computing looks back at the most important cyber security stories of the past six months
8 - Outsourcing a 'major component' of two-thirds of IT security lapses
Outsourcing was identified as a key attack vector in almost two-thirds of security investigations carried out by security services company Trustwave, again in February.
The claim was carried in the company's 2013 Global Security Report, which draws on the incident-response investigations that it has carried out on clients' behalf, as well as the results of thousands of penetration tests and millions of website and web application attacks.
"In 63 per cent of incident response investigations, a major component of IT support was outsourced to a third party... Many third-party vendors leave the door open for attack, as they don't necessarily keep client security interests top of mind," stated the report
In some cases, organisations that have outsourced a portion of their IT functions are unaware of the demarcation between themselves and their outsourced partner, leaving gaping holes that no one takes responsibility for. This also accounts for a large proportion of the attacks in the retail sector, added the report, because many small retail chains outsource some or all of their IT functions.
7 - European Union security directive slammed by Ross Anderson
Earlier this year computer security guru Professor Ross Anderson criticised the European Union's proposed computer security directive which, he says, represents "yet another unfortunate step towards the militarisation of cyberspace".
The directive forms the centrepiece for the EU's new cyber security strategy, which was launched in February.
In an analysis, Anderson wrote that "it will oblige member states to set up single 'competent authorities' for technical expertise, international liaison, security breach reporting and CERT [computer emergency response team] functions. In the UK, these functions are distributed across GCHQ, MI5/CPNI, the new National Crime Agency, the Information Commissioner's Office and various private-sector bodies".
As a result, it will no doubt put the security services in de facto charge of the internet, while also damaging co-operation between government agencies and the private sector, which runs most of the internet infrastructure in the UK and across Europe.
"Centralisation will not just damage the separation of powers essential in any democracy, but will also harm operational effectiveness. Most of our critical infrastructure is in the hands of foreign companies, from O2 through EDF to Google; moving cyber security co-operation from the current loose association of private-public partnerships to a centralised, classified system will make it harder for most of them to play," he added.
6 - Arms dealers turn to cyber security
Arms vendors are moving into the cyber security sector in response to a decline in sales of their traditional weapons, according to the Stockholm International Peace Research Institute
It is the first time that annual arms sales have fallen since 1994. According to the Institute, the 100 largest arms-makers' revenues fell by five per cent in 2011 and, in response, many are moving into cyber security as this is an area of security spending that has not yet come under pressure from government austerity measures.
"Companies such as Raytheon, BAE Systems and EADS Cassidian are seeking alternative revenue channels from the civilian sector while maintaining ties to military spending in this market. These companies' cyber security activities are focused on data and network protection software and services; testing and simulation services; training and consulting services; and operational support," claimed the Institute.
Furthermore, these cyber security services are also in demand worldwide among governments of all types, with demand stimulated by recently uncovered threats. The Stuxnet and Flame attacks against Iranian nuclear facilities, especially, demonstrated how national infrastructure can be targeted by determined attackers even when the supporting computing infrastructure is not internet-connected.
[Turn to next page for the Top Five]