The Hackers Became Too Smart

Is that what the epitaph for modern economies will be if the rapidly rising trend in breaches gets completely out of hand?

The first time I noticed the excuse given for the success of a breach a being that the hackers were very sophisticated was when Heartland Payments was hacked some three years ago. The company took pains to emphasize that this was no ordinary attack, but one by some really smart and capable criminals. Now such an excuse appears to have become commonplace, and even accepted, that the bad guys run ahead of the defenders in capabilities. In fact, it was formalized in an article by Ben Worthen and Anton Troianovski in the June 17, 2011 Wall Street Journal with the title “Firms Come Clean on Hacks,” in a quote by Michael Fox of ICR Inc. to the effect that “Breaches are increasingly viewed less as a weakness on the part of the company and more as the sophistication and relentlessness on the part of the hackers.”

If that is the case, then why bother about cyber security at all? If there is no chance of winning, why even play the game? We somehow hope that we can change the game but, as I wrote in my May 10, 2011 column, “Security Innovation – Trying to Change the Game,” the hackers don’t play by the rules, so changing the rules won’t likely do much good.

In any event, the tone of resignation in Worthen and Troianovski’s WSJ article is most distressing. It smacks of giving up. The resolution to a hack is to “come clean” and admit that it happened, and that you cannot be expected to have avoided or protected against the attack because the hackers are so much smarter than the defenders. What kind of nonsense is that? The answer is to take a realistic view at the assets at risk and protect them as effectively as is reasonable, avoid giving access to sensitive and valuable assets to those who have no need-to-know, monitor access and use by those who do need to know, and strictly enforce laws, regulations, policies, and standards with severe negative consequences for those not adhering to the rules as a strong deterrent.

One Comment

  1. Security Blogger Jul 17, 2011 at 1:44 am | Permalink

    The worst thing is that a lot of these recently publicised mass breaches of email addresses (e.g. Sony, Gawker, Groupon India) have been caused mostly by very basic security mistakes such as the storage of cleartext usernames and passwords … something that became a big no no more than 10 years ago… Its highly unprofessional for these guys to be blaming hackers for being too smart.

Post a Comment

Your email is never published nor shared. Required fields are marked *