Published: 27 Feb 2012
If 2011 proved anything, it was that security vendors are clearly in the crosshairs of hackers and cybercriminals: Security giant RSA, HBGary Federal, digital certificate authorities Comodo and DigiNotar all fell victim. Then not even a week into 2012, news broke that attackers compromised another industry giant, Symantec. Then only a month later, news hit of another breach, this time VeriSign. So the trend continues.
These breaches hit the industry hard. They’re not just about some exposed credit card numbers or email addresses, but in some cases, threaten the core technology organizations rely on. In the case of RSA and theft of SecurID-related IP, the impact was far reaching for its customers and the industry as a whole [see p. XX for our in-depth analysis]. The CA compromises eroded trust in the CA system overall.
Fallout from the Symantec breach continued to unfold in early February, after a hacker released the source code for the company’s pcAnywhere software. In January, the company took the drastic step of telling customers to disable the software temporarily until it could issue patches. All this drama comes after a breach that occurred way back in 2006. Altogether, the case has been a strange one, with Symantec initially downplaying the threat to current products from the breach and reports of email negotiations over a payout to the hacker, which both Symantec and the hacker later reportedly said were only a ruse.
The VeriSign breach, which occurred in 2010, came to light in a U.S. Securities and Exchange Commission filing by the company in October. While attackers stole some information from corporate systems, VeriSign said attackers did not breach the servers that support its Domain Name System (DNS) network. Still, it’s scary stuff. Imagine the mayhem if the attackers had managed to access those servers and been able to redirect Web surfers to malicious sites.
I suppose the irony of security companies being breached might be entertaining to some. After all, aren’t these the same guys who keep warning everyone about the dangers of not implementing security? Don’t they practice what they preach? But for organizations that rely on the technologies these companies produce, there’s nothing to snicker about. These breaches are indicative of the sophistication of determined, often state-sponsored attackers. The attacks shatter our confidence and send companies large and small scrambling to mitigate downstream risks.
In the wake of the VeriSign report, Anup K. Ghosh, a noted security expert and founder and chief scientist at Web browser security company Invincea, told SearchSecurity.com that the VeriSign intrusion was a sign of the industry failing to build systems and technologies that can prevent breaches. “There are nation state adversaries like China and Eastern Europe going after corporate data, hacktivists and cybercriminals attacking to make money; corporations are under threat from all three of these factors and our security systems are currently failing,” he said.
Indeed, it’s frustrating that after so many years, security doesn’t seem to be getting much better. But isn’t security about more than technology? Aren’t we always reminded that it’s about people and process too?
Chris Ipsen, CISO for the state of Nevada, says the RSA breach highlighted the danger of relying too much on any one technology and the need for defense in depth that doesn’t exclude the human element. “You’re discounting the human when you say, ‘I have technology to secure me,’” he says. “That’s a failed approach.” The attack, Ipsen says, increased industry awareness of the vulnerabilities in the technologies organizations rely on and underscored the need to constantly hone security practices.
For many, the attack on RSA showed no company is invincible. After the attacks on RSA, Symantec and VeriSign, we should take a step back and take a hard look internally at our security processes and above all, remain hyper-vigilant in an environment where the threats are sophisticated, determined and unrelenting
Marcia Savage is editor of Information Security. Send comments on this column to firstname.lastname@example.org.