Yesterday, I had a choice of either dealing with my bug problem or writing about the growing trend of security firms hacking each other. I dealt with the more pressing bug problem. But then I read this morning a Reuter’s story about a FireEye researcher having his accounts hacked. Yesterday, there was a story put out by ETech called “The Silent War: When Cyber Security Companies Get Hacked” about security professionals hacking each other. And in that story, they list a number of security companies that, themselves, have been hacked. The list is impressive:
- Cellebrite, in June
- The NSA, in August 2016
- Lastpass in June 2016
- BitDefender in July 2015
- Kaspersky and the Hacking Team in June 2015
- and then the infamous RSA hack back in 2011
BTW, I know expect to be hacked myself. Luckily, I’m just a Security Architect that writes a blog on a WordPress site, so not much here to take (So, go away, Mr. Hacker, Sir. I’ve done my backups!)
So here’s my question – shouldn’t Security Professionals know better? I mean, we preach to others all the time about hardening, using complex passwords that are unique on each system, knowing what the Applications are that you are putting on your systems, etc. But then you read these things and you have to wonder.
The “Silent War” story actually talks about Security Firms hacking each other and then letting their customers know that the Security firm was hacked in the first place. It then becomes a question about what the most valuable asset was of the Security firm.
Was it the customer data that was taken, or was it the Security Firm’s professional reputation?
See, to me, things like money are transitory things. I have had a lot of money and been near bankrupt a number of times. But, at the end of the day, what was most valuable to me was my reputation because it’s my reputation that no one can take away from me. It’s the one thing that will continuously bring back money to my bank account. Hacked my bank account and taken all my money? *^&%$# . But then I start to make that money again simply because I still have my reputation.
So this ends up meaning that you TRULY have to understand what is valuable to you and design around that.
Back when I had my contract with BC Hydro, I was exposed to a really interesting Risk Matrix that used for making all their investment decisions. It’s a natural part of doing a Risk Impact Assessment. There were 5 risk consequences that you had to think about:
- Safety – were people going to get hurt or going to die?
- Environmental – was the environment going to be impacted negatively?
- Financial Loss – this would be big for Banks. But it shouldn’t be a dollar figure – it should be a percentage of how much you have.
- Reputational – were there going to be complaints or were you going to end up in the news?
- Reliability – for a Utility, this is probably the most important because it impacts the risk of downstream customers.
BTW, when you have to think about life and death as a risk consequence, having someone deface a website seems like small potatoes.
So you plan about the risk consequences that you will be impacted by. And that may be different for a Security professional than it may be for their customer themselves. But, to me, a Security Professionals greatest consequence is having something impact their reputation. And that includes those Security firms that hack other Security firms. ‘Cause why would I hire a firm with morals that allows them to hack other security firms?
No, don’t be fooled into thinking money is the key consequence, because financial loss is more about a measuring stick than the thing that gain (which is money). These other things impact the financial loss in a more “strategic” manner.
So think about your reputation. Especially if you are a Security Professional.
Hope that helps …