There's little doubting the appeal of pen testing. Ethical hackers enjoy a sort of mystique in the eyes of clients because they are almost always successful in their efforts to break into target systems.
Social engineering tests are relatively new to the scene but are gaining traction (p32). That's not surprising given the constant media attention to Advanced Persistent Threats and the recent string of data breaches, which both begin by targeting gullible staff.
This comes with opportunities and opportunists, and to many clients, it can be hard to differentiate the crack tester from the charlatan.
Enter CREST (p29), an ambitious certification brought down under and across the Tasman by a handful of infosec industry folk. It aims to be the deciding factor that separates the industry's wheat from the chaff.
Sources say some in the government and industry hope to expand CREST to cover forensics, incident response and other areas beyond pen testing. This raises additional questions and is something everyone in the industry should consider.
If you want to know how to become a pen tester, check out our guide (p24). Some of Australia's best in the business offer tips about how to get into the trade and succeed.
And in another exclusive, we talk to Sony Entertainment Network's chief security officer Brett Wahlin (p36) who reveals how the company is taking its focus off state-sponsored actors to socially motivated hackers, such as Anonymous et al.
Wahlin, a former McAfee security boss, is using his Cold War experience and knowledge of counter intelligence to craft a comprehensive security strategy that seeks to understand the minds of staff, attackers, and even PlayStation garners.
It looks to be another exciting year. Certainly, we will see more big breaches alongside constant noise of DDoS attacks from the anarchic hacktivist scene.
Already, we have learned that Verizon was popped in 2010 and amazingly failed to inform authorities. AllPhones was also hacked, and its staff and customer details exposed.
So will Australia finally get data breach notification legislation this year? Although the idea was first proposed by the Australian Law Reform Commission in 2008, I wouldn't hold my breath.
Despite the Government's lack of urgency, most say we need it now, though Australian infosec analyst James Turner raises some interesting caveats (page 46): how can a business that relies on the security of vendor software be forced to admit breaches when a vendor giant like Verizon keeps it silent?