Security Roundup: The top stories of 2011

Hacktivists on the rampage, Sony and RSA on the back foot, and the UK cyber security strategy all over the place

Cyber security continued to have a high profile in 2011 with the UK government pronouncing cyber crime one of the top three threats to the country.

There were also several high-profile hacks of large enterprises as well as the continuation of the ‘hacktivism' trend, with Lulzec and Anonymous both garnering international publicity this year.

Here are Computing's top security stories of 2011.

RSA hacked
Secure token specialist RSA, a division of EMC, was hacked in March. The hackers sent an email to two groups of employees entitled ‘2011 Recruitment Plan'. One employee opened it and the attached Excel file, which contained a Flash movie, inserted malware into the RSA corporate network, letting the hackers in.

RSA later admitted that the attack cost it in the region of £40m.

The attack continued to have repurcussions and in May, RSA customer and defence contractor Lockheed Martin admitted that its network had also been attacked, though it would not say whether anything had been stolen.

Analysts speculated that the RSA attack may have been designed specifically to steal valuable defence information from this customer.

When Computing caught up with newly appointed RSA CSO Eddie Schwartz in September, he was keen to emphasise the importance of end-user training to security.

Given that one of his employees cost the company £40m by clicking on an attachment, this seems to be a wise policy.

Sony hacked
In April, just a month after the RSA hack, corporate giant Sony was attacked by hacktivist group Anonymous. The company responded by shutting down the PlayStation Network (PSN), but demonstrated weaknesses in the way it dealt with the attack.

The firm took a week to tell its customers that it had lost over 100 million of their records, including credit card information.

The PSN was offline for three weeks before being reinstated, then pulled almost immediately as it struggled to cope with thousands of customers wanting to log on and change their passwords.

There was more to-ing and fro-ing to come though, and the PSN was made available again, then pulled, once it became apparent that the password change process was itself vulnerable to hackers.

Sony eventually appointed a chief information security officer (CISO), in an attempt to show it was addressing its security issues.

The firm admitted in May that the attack would cost it about £109m, almost three times as much as the RSA hack.

Lulzsec and Anonymous
Anonymous splinter faction and cyber pranksters Lulzsec gained applause and condemnation in equal measure in 2012 for its mission to hack and disrupt organisations purely ‘for the lulz [laughs]'.

The group claimed responsibility for some of the attacks on Sony, and for launching distributed denial of service (DDoS) attacks on web sites belonging to both the CIA and SOCA (Serious Organised Crime Agency) in June.

It announced the cessation of its operations later the same month, claiming that it had only ever intended to run for 50 days.

Perhaps not coincidentally, the decision to disband was made as law enforcement operatives closed in.

Several arrests of Lulzsec team members have been announced by the Met police since, including that of a hacker who goes by the name 'Topiary' - he claims to be the group's main spokesman.

UK cyber security strategy
In October last year the government pledged to spend £650m to bolster the UK's cyber defence capabilities. The money will be released over four years.

Just last month the government gave more detail on how those funds would be used.

It released its cyber security strategy in November, and said that it would create a cyber security ‘hub', that would see information shared between public and private sector bodies on existing cyber threats and the best methods of defence.

The government also said it would find commercial uses for some of GCHQ's technology, which has traditionally been kept well out of sight.

However, the strategy did not provide a definitive explanation regarding how the UK's various public sector bodies involved in cyber security would be organised going forward.

In September, an annual report from the Intelligence and Security Committee (ISC) said the government had shown "confusion and duplication of effort" in its approach to cyber security. It quoted former defence minister Baroness Neville-Jones as saying the structure of the UK's cyber security defences "was not ideal".

Police Central e-Crime Unit chief Charlie McMurdie also criticised the UK's structure, describing it as sub-optimal, and the result of organic, unplanned growth.

Ross Anderson, professor of security engineering at the University of Cambridge, went further.

"[The UK's cyber security strategy is] fragmented, messy, inefficient and hopelessly under resourced," he said at the time.