Can IT Trust VeriSign After Repeated Attacks?
Security breaches were the norm for VeriSign during 2010. No one knew until the company admitted that there had been multiple security lapses in late 2011 leaving many questioning whether the company can still be trusted. Of course, management can't really be blamed seeing as they were also not notified until September 2011. Now IT departments are left wondering if the company can be trusted again since not only did criminals get through the security layer, the wait to tell management and the IT world has likely led to security breaches elsewhere around the Internet.
The major issue at hand is the sheer number of secure socket layer (SSL) certificates the company once issued. If they have been stolen, that could lead to major security issues for companies and individual users, according to TechRepublic. If one of these certificates was stolen, users could be tricked into thinking they are on legitimate sites. And if a business is targeted as a site to be cloned to trick users, the business's reputation will invariably suffer. IT departments worldwide should be on alert especially since VeriSign isn't confirming or denying whether any SSL certificates were stolen.
TIME blogger Keith Wagstaff summed up the issue completely when he said that waiting so long to reveal such an attack is unacceptable. People around the IT community agree with Wagstaff. How many security issues were caused in part by the breaches and how many of them could have been diverted? Now the issue is cleanup for VeriSign and damage avoidance for everyone else, especially businesses that rely on the Internet heavily. Beyond normal Internet security survalience, IT departments will be keeping an eye on odd traffic patterns. Traffic patterns that change quickly and drastically can be an indicator of redirect issues either due to HTML errors or something more sinister.
The other alarming conclusion to be drawn from this situation is that anyone is vulnerable to attack. Companies are always vulnerable, especially those whose sole purpose is to secure other sites. These high-value companies are too good for criminals to resist. Once inside, the criminals can easily gather the information needed to enact larger breaches on other businesses. When a company as big as VeriSign is hacked it is often a wake-up call to other companies. The entry into companies' secure servers be protected, and it is necessary to protect what is behind that perimeter. The more layers of security a business has, the harder it is for cyber attackers to extract the information they are so eager to get their fingers on.
As for VeriSign, they are no longer the largest supplier of secure socket layer certificates anymore. Now it is Symantec, another company dealing with cyber attacks. Until more information is released on what data was extracted in 2010, there is no way to know exactly what issues could pop up as a result. For now, the company is tight-lipped, but with more pressure from the IT sector, the chances of this information remaining private for long are slim.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.