The VeriSign breach is an example of how no one is too secure or too big to be attacked. Security experts said targeted attacks on "high value" companies will continue.
Companies get breached. That's the lesson of 2011. Large or
small, no organization is immune to attacks.
The VeriSign breach was just another day of business as usual for the
Campaigns such as Operation Shady Rat, disclosed by McAfee,
and Nitro, disclosed by Symantec, showed how every major industry vertical has
been compromised by cyber-attackers, and a slew of data breaches last year
showed no one, regardless of whether they are government organizations or in
the private sector, is immune, said Anup Ghosh, founder of Invincea.
"So no one should be surprised that VeriSign was both
targeted and compromised," Ghosh said.
VeriSign disclosed quietly in its 10-Q filing last October
that the company had been repeatedly attacked in 2010, and that some data had
been successfully extracted. While VeriSign refused to discuss any details, it
appears the team that discovered the breach neglected to report it to senior
management September of last year.
Enterprises often focus on the network perimeter and follow
compliance requirements without really protecting the data, said Subhash
Tantry, CEO of FoxT. Assuming the network has already been breached, measures
such as fine-grained authorization, policy enforcement and contextual
authentication would ensure only the users who are supposed to have access to
the information can view the data, he said. Intruders who are lurking in the
network would be still locked out.
2011s prolific compromises should have taught the industry
a valuable lesson that vendors will continue to be attacked as part of more
targeted compromises," he said.
The attackers, regardless of whether they are nation-states,
cyber-criminals or hacktivists, have been innovating, while the information
security industry has not, Ghosh said. Instead of prevention, the industry has
focused on the "far more profitable" strategies of remediation and
forensics, trying to figure out what happened after the attack, he said.
While everyone tends to blame the victim, the reality is
that the industry as a whole should bear the brunt of the blame for not
focusing on defenses, Ghosh said.
While it's great VeriSign finally admitted the breach, the
real question is how many other organizations are keeping silent about their
own incidents, or aren't even aware they have been breached, said Melih Abdulhayoglu,
CEO and president of Comodo.
Recent reports have shown that attackers are tricking users
into clicking on links or opening attachments that come with spear-phishing
emails that have been carefully researched to target their interests at a 40 percent
to 60 percent click-through rate.
High-value targets that specialized in technologies that are
extensively used to authenticate and create trusted relationships online have
been compromised recently, such as RSA Security, Comodo and DigiNotar, said Jeff
Hudson, CEO of Venafi. These organizations are aware that they are targets and
take measures to protect themselves, he said. Not only does it mean breaches
cannot be stopped, organizations need to start thinking about not relying on
only one provider or technology. If one is compromised, they switch to using
the other as quickly as possible, Hudson said.
The "deeper question" is what we are doing to
become more resilient," said Tim Keanini, CTO of nCircle, said.
Companies need to make sure they have a policy that
explicitly mandates employees to report security breaches to managers. If a
breach occurs, the last thing an organization should have is an employee
"too afraid" of negative consequences that the incident is hidden,
VeriSign declined to discuss what was stolen or what was
targeted, so it's not clear whether the VeriSign attackers were after the ability to
forge certificates, much like what happened to DigiNotar and Comodo last year.
In contrast to VeriSign, when Comodo got attacked, the
"company foiled it within minutes" and "informed the public so
that they can take precautions," Abdulhayoglu said. Comodo's certificate
authority business was attacked early 2010 when someone stole log-in credentials
belonging to a reseller and tricked Comodo into issuing eight certificates to
major Web services including Google and Skype. The company took a beating from
users and in the press, but they tightened their processes and communicated
clearly about what had happened.
"It's always important to do the right thing!"
Abdulhayoglu said, adding that doing the right thing is a "luxury"
not many people can afford.