Call us now

The security industry is broken, says researcher

The IT security industry is seriously broken says a researcher from Kaspersky Lab. IT security professionals need to start really caring about their jobs, David Jacoby says during the opening session of the ISC Security Congress in Munich, ComputerWeekly reports.

The problem is quite serious, Jacobly says. “We need to focus on what we are trying to do. We need to stop talking about what all our security products are doing and talk about what they are not doing,” he adds. He also thinks that people in the industry should start to really care about information security and view it more than just a job. Jacobly also says that businesses should also start to change their way of thought and stop underestimate the importance of information security in this day and age.

“We also need to stop talking about emerging and future threats, and instead first solve the problems that we have known about for 30 years and still not addressed,” he said. He add that while it is good that a lot of attention is going for securing the Internet of things (IoT), there is little to no attention paid to the current security risks in storage devices and routers.

Jacobly did a simple demo in which he used an emailed link to bypass he firewall of his home network and access his own home storage device. While doing that he also injected a javascript to the site and identified all devices connected to the network. “Once I had the IP address of the storage device, which is really a small server, I was able to get a connection because the software is continually looking for a connection request,” said Jacoby.

He also found 22 different ways to execute code on the storage device thanks to a Python software that was factory-installed. “This is a big security concern because an attacker could hijack the device and hook it up to a botnet, and even a factory reset would not remove the botnet malware,” said Jacoby.

“We have to change this. We need to spend more time thinking and talking about how we can change the industry. We have to ensure the whole of the industry takes its responsibility seriously,” said Jacoby.

While most IT security specialists do take their jobs seriously, even if just a handful of people don’t care, that could pose big risks for everyone. Proper qualification is also needed. This is why people who do care about their IT security careers get certified.

Image credit: Flickr (CC) / hackNY.org