An old boss told me once, "You play in the big leagues, and you will eventually fall like a big leaguer." The fact is many people have their computer security compromised daily, and this is also true for many corporations. But how are we supposed to react when the "big leaguers" in our industry fall victim too?
Over the last week some of the security industry's heavy hitters were victims of widely publicized security breaches. Dan Kaminksy, Matasano Security and Kevin Mitnick all had their websites breached. Some events were little more than defacements; in Dan's case some of his personal information was publicized. We, the BlackHat attendees, are the ones entrusted by individuals, large corporations and government entities to protect networks against precisely these types of attacks. What do high profiles breaches like these mean for our reputations and for our industry?
The truth is that data breaches are so common that most of us aren't even alarmed anymore. Privacyrights.org tracks the millions of private records that are compromised each year. The Conficker worm was said to have compromised millions of computers. We have become so used to reading about these stories and shrugging our mental shoulders that some people say our industry has become laize faire. We work towards compliance; we fight for budget and reducing our risk metrics. But are we really living and breathing what we preach?
This is not to say that Kaminksy, Matasano or Mitnick aren't intelligent, creative thought leaders who honestly work hard each and every day. It does mean that even the best of us are vulnerable to the same threats as everyone else. It also means that every company, even the ones we work so diligently to protect, is susceptible to some sort of data breach. No one is beyond the law of statistics.
So what does it really mean when even the security gurus at Blackhat get breached? It means there is always room to improve, and it means that there is no such thing as complete security, no matter how much money you spend or how smart you are.
This sobering reality is a reminder to us all about the value of vigilance. It's also a reminder that every breach offers a lesson. Dan Kaminksy handled this very public data breach by congratulating his attackers and offering them two of his grandma's famous cookies.
Dan will definitely step us his security, will you?
Comments (1)
It's just not worth it for most people to protect their websites with 100% perfection. I have a life. And defacement isn't that bad: I'd rather have my business's public website be defaced 100 times than have my credit card machine compromised even once.
Unfortunately, so much of our selling of ourselves as an industry is based on weird intangibles like trust. None of us can sell perfect security, and even our smartest folks write insecure software from time to time.
Posted by Dan Weber | August 4, 2009 9:19 AM
Posted on August 4, 2009 09:19