A lesson to learn from the HBGary breach
As you might have already read, the HBGary and rootkit.com breach by Anonymous was not executed by using obscure techniques or unknown vulnerabilities – quite the opposite, in fact.
What allowed the attackers to succeed with this rather standard approach is the fact that HBGary failed to pursue the same best practices that it and other security companies preach.
Easy-to-crack passwords, their reuse, unpatched servers, a site vulnerable to SQL injection-¦ It seems to me that these revelations are enough to put HBGary and HBGary Federal out of business and I wouldn’t be surprised if that happened in the end – for who will trust a security company that can’t secure their own assets?
Lest you assume that I am somehow inordinately pleased with the prospect of these companies’ demise, let me say that I think HBGary simply had bad luck (if you want to call it that). I don’t want to minimize the impact their failure to follow best security practices had on the final outcome, but I also believe that they are not the only security company – or, for that matter, any other kind of company – to whom this kind of thing could have happened when taking into consideration the highly motivated Anonymous attackers.
I’m betting that every security company executive out there is thinking to himself (or herself): “Whew! I’m glad that wasn’t us!”, and I hope that the lesson they take from this incident is not that they have to avoid angering any kind of hacker, but that they have to practice what they preach and up their defenses as best they know how.
Even that will not guarantee that hackers will fail at gaining access to the company’s assets and confidential corporate information, but it will surely make a catastrophic outcome less certain.