Some hackers play, others break and most steal

As someone who spends a lot of time on social media and tries to stay up to date with all the security issues IT professionals encounter, I come across a lot of conversations on cyber security.  It is also my job, using the IT Governance internal expertise, to help answer relevant questions. Worryingly, a few of them are complaints of security breaches suffered.  But what actually prompted me to write this blog post are a couple of very similar conversations I’ve come across recently and of which I felt it is my duty to make you aware.

In a Facebook group someone has announced how he has discovered that a popular website is vulnerable to Cross Site Scripting (XSS). The members of the group then went on to ‘play’ with the website where the websites appearance slightly changed, displayed custom pop ups and in one instance a member of the group was controlling another member of the group’s computer via the website.


Eventually one of the members claimed to have emailed the website owners about the vulnerability, but considering the large size of the organisation, that email might take a while to be spotted. So only fun and games for this group of hackers, but what if the knowledge of this vulnerability was passed onto someone who wanted to use their hacking skills for something other than fun?

If a hacker gains access to your website, they could possibly gain access to private data such as customer information, bank details and much more. The average cost of the worst security breach for small organisations last year was £35,000 to £65,000 and for large organisations was between £450,000 and £850,000. The vast majority of these were through cyber-attack by an unauthorised outsider. Can your organisation afford these risks?

Unless you don’t have anything of value to lose, then you must do something to safeguard your organisation from these risks. Penetration testing is the most effective way to demonstrate that exploitable vulnerabilities in your Internet-facing resources are adequately patched, and that you have appropriate technical security controls in place to help protect against cyber-intrusions. Hackers don’t wait, so neither should you!

One Response

  1. Kevin McCarthy CISSP CEH CCSK MSc MBCS 10th June 2013