Everyone sounded the alarms at the Gawker Media attack, which included a security breach of websites such as Gizmodo, Lifehacker, Kotaku, io9, and others. The numbers were impressive: 1.3 million user accounts exposed, 405 megabytes of source code lost, and perhaps more important to some, the identity of those leaving anonymous comments potentially revealed. For Gawker, there is a loss of trust that will be difficult to regain. Users are already clamoring for the ability to delete their accounts. And, on the technical side, all Gawker’s systems will need to painstakingly audited or rebuilt entirely from scratch to prevent the same thing from happening again. Happy Holidays indeed.
So, what is to be learned from this perfect storm of bluster and bravado? Many lessons, most of them demonstrating what not to do.
1. First and foremost, DO NOT poke the bear. By taunting the hacker community, especially the vigilante types, Gawker made itself a target unnecessarily. Never claim to be “unhackable.” The hackers outnumber you by several orders of magnitude, and they have more free time. Respect their capabilities. Not to mention the odds are always stacked against defenders. The attackers only have to find one little crack in wall to bring the castle crumbling down.
2. Learn the fundamentals of incident response. Don’t pretend everything is OK when it’s not. While deny, deny, deny, is sometimes an effective strategy in political scandals, it doesn’t fly in your relationship with users. Secondly, it only further motivates your adversaries in proving you wrong, very publicly. See lesson #1. As an organization, you need to control the message and do what’s in the best interest of your users. Assume the worst has occurred, stay in communication, and provide timely updates as facts are uncovered.
3. Make sure your organization is doing basic security blocking and tackling. Simple tasks like keeping up with patches, in this case for their Linux systems could have made the hack more difficult. Additionally, understand that defense-in-depth is only as good as each layer. While password encryption is smart, understand the limits and how those safeguards can be circumvented.
4. Have a knowledgeable security professional in place. An experienced security pro would or should have seen some of the early warning signs and acted to better understand the situation and minimize the damage. Security expertise can come in the form of a contractor or full-time employee, but someone needs to own it.
5. Hack yourself first or the bad guys will do it for you. Organizations must perform regular vulnerability assessments to know their security posture. As we’ve seen here, if you wait, someone else will do the testing for you and free of charge!
6. NEVER use the same passwords across online accounts. Seek out a local desktop password manager. By creating strong AND different passwords, you compartmentalize risk. So, if an attacker gets your Twitter password, your Google Apps are still safe.
Perhaps the most important lesson is that it will happen again, so everyone needs to be prepared.
Jeremiah Grossman is an expert in Web security and is founder and CTO of WhiteHat Security, a provider of website risk management solutions. Grossman is co-founder of the Web Application Security Consortium and was named one of InfoWorld’s Top 25 CTOs in 2007. He has authored dozens of articles and white papers and is credited with the discovery of many cutting-edge attack and defensive techniques. Grossman also co-authored the recently published book, Cross-Site Scripting Attacks.
