​The week in security: CISOs rare, US election cooked, IoT burnt

CISOs are still few and far between in Australia, where new figures suggest many companies are channelling money into security consultants rather than hiring information-security executives. This presents potential problems for the cybersecurity environment of tomorrow, which was discussed at the Anticipate 2016 conference.

The government, however, isn’t afraid of making significant high-level appointments – with security stalwart Craig Davies appointed to head the government-backed Australian Cyber Security Growth Network (ACSGN).

There were concerns that incoming US president Donald Trump – who was sceptical of Russia’s alleged role in hacking the US election despite legislators’ push to investigate and suggestions that by Russia – will disrupt plans to improve consumer-facing cybersecurity protections that have been described as a small but important step forward. Knowledge is power in cybersecurity, after all.

IBM has been taking this approach literally, funnelling knowledge from what is now more than 40 companies into its Watson machine-learning platform to bolster cybersecurity response capabilities. It’s all in recognition of the increasing importance of security analytics.

Just as figures suggested security professionals are most worried about cloud and mobile risks, there were concerns that iOS app developers weren’t ready to play nicely with new Apple transport-security requirements.

Also not playing nice was a Turkish hacker who, reports suggested, has been gamifying the process of launching DDoS attacks against targets. This is hardly the sort of thing that attack-plagued businesses like compromised German industrial conglomerate ThyssenKrupp want to hear – but it’s only one of the challenges that cybersecurity presents to businesses, as participants in a panel at the Cyber in Business conference shared.

Vendors of behaviour-analytics tools were pushing into the enterprise market, addressing the growing recognition that the growing cyber-risk landscape is pushing businesses to mount a more dynamic response. Amazon Web Services was doing its part, launching a free service to automate reporting on compliance with a range of security standards.

Former senator Stephen Conroy was warning that quantum computing is getting good enough that government decision-makers need to be ready for it to preserve their security. Not that you’d need a quantum computer to crack many of today’s devices: one analysis of Sony IP security cameras, for example, found backdoor accounts in 80 different camera models. Or that hacked home routers were used to launch attacks against Russia’s five largest banks.

Little wonder that a growing consensus is suggesting IoT botnets are here to stay. This makes them a key gateway for enterprise hackers – yet they’re far from the only widespread threat facing us these days: single pixels in malicious online ads were being used to distribute malware, according to one report.

On the secure-code beat was news that the coming major version of OpenVPN will be audited for security flaws. Google fixed 74 bugs in Android while rolling out a new version of the mobile operating system that fixed Dirty COW and GPS vulnerabilities. This, as Google dropped its ‘Android for Work’ name because plain Android is so secure. At the same time, a bug in Google Chrome was creating errors on Web sites using Symantec SSL certificates.