VeriSign Breach Not A Surprise, Attackers Target Everyone

The VeriSign breach is an example of how no one is too secure or too big to be attacked. Security experts said targeted attacks on "high value" companies will continue.

Companies get breached. That's the lesson of 2011. Large or small, no organization is immune to attacks. The VeriSign breach was just another day of business as usual for the bad guys.

Campaigns such as Operation Shady Rat, disclosed by McAfee, and Nitro, disclosed by Symantec, showed how every major industry vertical has been compromised by cyber-attackers, and a slew of data breaches last year showed no one, regardless of whether they are government organizations or in the private sector, is immune, said Anup Ghosh, founder of Invincea.

"So no one should be surprised that VeriSign was both targeted and compromised," Ghosh said.

VeriSign disclosed quietly in its 10-Q filing last October that the company had been repeatedly attacked in 2010, and that some data had been successfully extracted. While VeriSign refused to discuss any details, it appears the team that discovered the breach neglected to report it to senior management September of last year.

Enterprises often focus on the network perimeter and follow compliance requirements without really protecting the data, said Subhash Tantry, CEO of FoxT. Assuming the network has already been breached, measures such as fine-grained authorization, policy enforcement and contextual authentication would ensure only the users who are supposed to have access to the information can view the data, he said. Intruders who are lurking in the network would be still locked out.

€œ2011€™s prolific compromises should have taught the industry a valuable lesson that vendors will continue to be attacked as part of more targeted compromises," he said.

The attackers, regardless of whether they are nation-states, cyber-criminals or hacktivists, have been innovating, while the information security industry has not, Ghosh said. Instead of prevention, the industry has focused on the "far more profitable" strategies of remediation and forensics, trying to figure out what happened after the attack, he said.

While everyone tends to blame the victim, the reality is that the industry as a whole should bear the brunt of the blame for not focusing on defenses, Ghosh said.

While it's great VeriSign finally admitted the breach, the real question is how many other organizations are keeping silent about their own incidents, or aren't even aware they have been breached, said Melih Abdulhayoglu, CEO and president of Comodo.

Recent reports have shown that attackers are tricking users into clicking on links or opening attachments that come with spear-phishing emails that have been carefully researched to target their interests at a 40 percent to 60 percent click-through rate.

High-value targets that specialized in technologies that are extensively used to authenticate and create trusted relationships online have been compromised recently, such as RSA Security, Comodo and DigiNotar, said Jeff Hudson, CEO of Venafi. These organizations are aware that they are targets and take measures to protect themselves, he said. Not only does it mean breaches cannot be stopped, organizations need to start thinking about not relying on only one provider or technology. If one is compromised, they switch to using the other as quickly as possible, Hudson said.

The "deeper question" is what we are doing to become more resilient," said Tim Keanini, CTO of nCircle, said.

Companies need to make sure they have a policy that explicitly mandates employees to report security breaches to managers. If a breach occurs, the last thing an organization should have is an employee "too afraid" of negative consequences that the incident is hidden, said Keanini.

VeriSign declined to discuss what was stolen or what was targeted, so it's not clear whether the VeriSign attackers were after the ability to forge certificates, much like what happened to DigiNotar and Comodo last year.

In contrast to VeriSign, when Comodo got attacked, the "company foiled it within minutes" and "informed the public so that they can take precautions," Abdulhayoglu said. Comodo's certificate authority business was attacked early 2010 when someone stole log-in credentials belonging to a reseller and tricked Comodo into issuing eight certificates to major Web services including Google and Skype. The company took a beating from users and in the press, but they tightened their processes and communicated clearly about what had happened.

"It's always important to do the right thing!" Abdulhayoglu said, adding that doing the right thing is a "luxury" not many people can afford.