Why you should be targeting security as a career

How secure are your networks? Not very, if new data from Symantec is to be believed. The organisation released its April Internet Security Threats Report (ISTR) last week, and the news was not good.

One of the things that the report outlined was a high profile in the targeted attacks on enterprises. Operation Aurora, discovered in January, involved attacks on well over 30 organisations from servers located in China. The attacks were highly sophisticated, and appeared to target companies' intellectual property. Google, which has been most public about the attacks that it suffered, was attacked via a zero-day vulnerability in the Internet Explorer browser (now patched) that enabled attackers to compromise machines. Reports in the New York Times suggest that the attackers stole the source code for Gaia, the search engine giant's single sign-on password system.

This isn't the first targeted attack campaign that we've seen. Last year, researchers at the Information Warfare Monitor, a joint collaboration between security research group SecDev and the University of Toronto, found a targeted botnet called GhostNet, which had been silently stealing information from organisations of particular political interest to the Chinese. This botnet, which consisted of around 12,000 machines, targeted computers including those of the Dalai Llama. Again, the servers controlling the network were largely hosted in the PRC.

Just a couple of weeks ago, working in collaboration with research organisation the Shadowserver Foundation, the same researchers uncovered yet another network, called Shadownet. Again, it targeted enterprises, rather than taking a scattergun approach and targeting computers indiscriminately, as many botnets do.

Things appear to be getting worse for Adobe in terms of security. The organisation, which has had to issue several out of band patches for its products in the past year, is having to cope with an increasing number of attacks against its Portable Document Reader. Most recently, security researcher Didier Stevens found a fundamental design flaw in the Portable Document Format, which attackers could use to manipulate any file into opening another file when launched, and in which a warning dialogue box could be altered, socially engineering the victim into accepting the file.

Attacks targeting companies using flaws such as this show no sign of stopping. What does it mean for IT professionals? It means that a course in ethical hacking (often called penetration testing) or network security could set you on the path to a new career. One of the most acclaimed certifications for pen testers in the UK comes from the Council of Registered Ethical Security Hackers (CREST). The chances are that in an increasingly paranoid industry, professionals certified in something like this are rarely likely to be out of work.