VeriSign hack: Reactions from the security community
VeriSign admitted it was hacked in 2010 and cannot identify what data was stolen. Below are comments on the situation that Help Net Security received from industry veterans.
Jon Callas, CTO for Entrust
Reuters reports that VeriSign has been hacked and “undisclosed information” has been stolen. There isn’t much more in the reports other than speculation, but there are a number of things to remember.
They claim that this doesn’t affect the VeriSign certificate business, which is now owned by Symantec. Symantec has kept the VeriSign name on that business, and each of them says that this doesn’t affect Symantec. VeriSign proper runs DNS, does threat protection, and runs back-ends for telephone systems.
Nearly everyone will be hacked eventually. The measure of a company is how they respond. The critical infrastructure of the Internet is under both attack from frivolous and serious sources. From the media to hacktivism to criminals to nation states. The important thing for all companies to have in place is a response plan. That has to include assessment, containment, remediation, and notification. Notification is especially important because the public safety is at stake and those who have been spared need to know what the real threats are. Only those under attack can tell the rest of us. It’s been over a year since VeriSign was attacked. They owe it to their customers as well as the community to let us know what happened. There are responsibilities that go with running critical infrastructure and reporting is among them. This is serious and shouldn’t be buried in an SEC report.
Brian Honan, founder and head of Ireland’s CERT and owner of BH Consulting
According to Symantec none of VeriSign’s critical systems such as the DNS servers or the Certificate servers were compromised, although they do admit that “access was gained to information on a small portion of our computers and servers”. We have yet to hear what the information stolen was and what impact it could have on VeriSign and/or its customers. Until then, any commentary on the impact of this attack is speculation. However, this breach and the recent attacks on DigiNotar, Comodo and RSA, amongst others, points to a worrying trend in efforts to undermine the trust infrastructure that many organisations rely on to operate online in a secure manner. These attacks should be a wakeup call to the industry to now take a serious look at how we protect our transactions and communications online.
Another worrying aspect to this particular breach is the amount of time that lapsed between the breach happening and when it was reported to management. One would hope, and indeed expect, that in a company whose core business is providing security services that all staff are aware of how to spot and report a security breach. If we learn any lessons from this breach is that companies should ensure they train staff appropriately in how to identify a suspected breach, encourage staff to report their suspicions and have the appropriate escalation paths in place that incidents are alerted to the appropriate personnel in a timely manner.
Guy Churchward, CEO at LogLogic
The VeriSign breaches underscore the need for having a central repository for all log transactions. Regardless of whether or not it is collected expressly for security purposes or for improving operations, occasions do arise when you need 360 degrees of insight. Most of the companies we work with already have security tools in place when they come looking for a log management solution. They recognize that existing security measures can only go so far and that they need a way to centralize and properly analyze information.
This isn’t only critical in situations like VeriSign’s, in which companies can now watch their logs to monitor their unusual network activity, but also when companies experience attacks themselves and to need speed up discovery periods from a matter of days to minutes. If we learn anything from VeriSign’s attacks, it should be that we are all vulnerable. And if a security company like VeriSign can be breached repeatedly, you have to wonder what’s going on with all the other companies in the world.
Jonathan Gossels, President & CEO, SystemExperts Corporation
The public disclosure of multiple security breaches at VeriSign during 2010 and the company’s response bears striking similarity to the security breach of RSA last year. In both cases, the intruders established a persistent and undetected presence and were able to gain access to privileged systems and information. In both cases, the company released few details about how the compromise occurred and what information was breached.
In VeriSign’s case, it is shocking that administrators responded to the attacks when they occurred, but did not notify senior management until September 2011. While Reuters reported that VeriSign asserts that its Domain Name System Network servers were not breached, that is small comfort for the millions who rely on VeriSign for digital certificates used for authentication or consumers of their other services. The information that VeriSign hold obviously an attractive target.
The fact that VeriSign, a company dedicated to computer and network security, can be compromised repeatedly underlines that every company is vulnerable. If you accept that compromise is inevitable, the game shifts to prompt detection and comprehensive response. VeriSign has not disclosed how long the breaches lasted so we do know if they were detected quickly or not. Clearly, VeriSign dropped the ball on the response phase as notification is a key measure in any response.
Rob Rachwald, Director of Security Strategy at Imperva
The VeriSign breach is interesting for several reasons. First, it occurred a long time ago and only surfaced as a result of SEC filings. We now see how the new SEC requirement is playing a role in data security. Second, it’s unclear what was taken. Logically, SSL certificates would be the most attractive bounty. The third item is trying to figure out who dunnit. It is easy to conclude that government-sponsored hackers are responsible. Possible. But there is another possibility: private hackers who resell the booty to the governments and enterprises who may want it.
Melih Abdulhayoglu, President and CEO of Comodo
Today, no company – large or small – is immune from attack by cyber criminals. Every company that maintains data and accesses the internet – whether it’s via their PCs or through their mobile devices – is at risk. As such, all Internet users must be alert to the inherent risks and take the necessary precautions from securing information, websites, computers and mobile devices. And computer users must be able to depend on and trust the companies they are relying on to protect them.
One of the best defenses against cyber threats is transparent and immediate communication – and that needs to be part of any process moving forward. VeriSign did not disclose this breach to their users and therefore failed to give those users the opportunity to take important precautions. The security industry must work to build trust, not erode it.