Right on cue this week, the anarchic hacking collective Anonymous stepped up and grabbed the story line away from the lions of the IT security industry.
With the annual RSA Conference set to begin, the whistle blowing site Wikileaks released the first of some five million e-mail messages stolen from the security intelligence firm Stratfor. Ever sensitive to the fickle attention of the media, Anonymous inserted itself into the story, claiming responsibility for leaking the data and pointing a finger of blame at Stratfor and its media, private and public sector customers, which Anonymous accuses of spying and other dark offenses.
Coming just a year after a similar hack at HBGary Federal, the leak of the Stratfor e-mails was an unwelcome reminder for the folks here at RSA that, despite some high profile arrests, little real progress has been made in fighting back against Anonymous and other hacktivists groups, or stemming their activities.
In a defiant e-mail statement on Monday, Stratfor CEO and co-founder George Friedman wrote that Anonymous was forging e-mails to besmirch his firm and that Stratfor was “recovering” from the hack – more than two weeks after relaunching its Web site.
Security experts at the show interviewed by Threatpost said that the hack at Stratfor was hardly surprising. Though the exact nature of the hack still isn’t known, suggests that the Austin, Texas firm fell victim to loosely constructed or configured Web applications, weak data protection and poor password management – missteps that have tripped up too many companies to count in the last two years. And for each Stratfor, the ripples spread out to affect thousands or tens of thousands of other individuals and organizations, which need to worry about whether passwords and e-mail addresses leaked from Stratfor might provide access to IT assets and accounts on their own network.
In his letter to Stratfor subscribers on Monday, Friedman acknowledged that the hack had caused serious difficulties for his firm’s customers and employees.
More concerning are the plethora of APT (“advanced persistent threats”) anecdotes that security professionals share among their peers. There’s the executive who got fooled by an e-mail that seemed to come from a member of his own support staff, or the phishing attack that came by way of a hacked account on a business partner’s network.
Speaking to a group of Conference attendees at the RSA’s Innovation Sandbox event, George Kurtz, President and CEO of the firm Cloudstrike said that slow moving, stealthy “advanced” attacks had become the rule, rather than the exception among the nation’s top firms.
“If you’re a Fortune 1000 firm, you’ve been owned,” Kurtz said. “You just don’t know it yet.”
What’s surprising is that the hand wringing comes at a time of renewed vigor in the IT security space, as increased regulatory pressure, heightened sensitivity to hacks and data breaches and the advent of smart phones, tablet computers, Web based applications and cloud infrastructures have thrown open the doors to potentially lucrative new markets. Data from Juniper Research estimates the combined markets for mobile and Web security will be $7 billion by 2016, while smartphone adoption is up by close to 60% in the last year.
That’s good news for both established and start-up security vendors, but those vendors also face an increasingly skeptical customer base, well aware of the gaps that traditional protections leave after they’re installed.
“I still hear corporate guys talking about their CheckPoint firewall,” said Matt Huang, COO of the Web application security testing firm Armorize at a pre-Conference event hosted by America’s Growth Capital. “If you do what we do, you realizes that’s a joke. We can just get in on (Web) port 80 every time. Combine that with a SQL injection vulnerability or two, and you have access.”
And, despite the rosy growth predictions, Sessions at RSA will attempt to tackle many of these problems. There will be sessions assessing the effects of trends like the consumer-led adoption of Web based services, social networking and mobile devices like tablets and smart phones. The trend towards more diversification in platforms within the enterprise, fueled by so-called “BYOD” (or “Bring Your Own Device”) policies within enterprises is getting attention IT security pros worried about the implications of such policies, as will vulnerabilities and risk incurred by shoddy or weak security protections within supply chain- and other security partners.
In the end, said Kurtz, the industry’s biggest failure may be in its ability to “tell a story” to decision makers – be they executives within an organization or elected officials about the nature of sophisticated attacks, hacktivism and other threats.
“If you take a look at the Night Dragon attacks,” he said, you could go to your boss and say “we have a data stealing trojan on our network, or you could say – if you’re an energy company- “We’ve got foreign competitors going after our Big Data. Right now, we’re just doing a crappy job of telling that story.”
