New Info About Nortel Data Breach Highlights IT Security Concerns
IT security is an ever-changing branch of the Internet marketspace--one that is by nature reactive rather than proactive. No matter how well paid IT security admins may be or how much effort is put into developing security countermeasures, they are always informed by breaches that have happened, not those that might happen. Canadian telecommunications company Nortel was at the center of a massive security breach 10 years ago, and while the company itself has long been dissolved, new information has come to light that suggests the company did little to act even on known security issues.
According to a recent article by itWorldCanada, former Nortel CEO Frank Dunn not only knew about long-standing security breaches at the company, but did nothing about them. The company, which was recently cleared to sell off $4.5 billion worth of patents to companies like Apple and RIM, experienced over a decade of security breaches, many in the form of rootkits installed on machines across its network. While pedestrian by current hacking standards, the rootkits allowed access to almost all data in the company--casting the value of their sold patents into question.
Former Nortel employees like Brian Shields apparently led investigations into the breach over several years but were stopped by executives from taking any action. According to Neil Roiter, Coreco Network Security's research director, the "failure of what was viewed as an innovative and sophisticated IT company to appreciate and address the risk is puzzling." Nortel chose not to ask for any outside assistance, even after uncovering the breach, and as a result, it's unlikely the attacker will be found.
While the demise of a promising company like Nortel at the hands of hackers is unfortunate, there are a number of lessons other companies can take away to improve their own practices. A recent infosec island article discusses some of the areas where Nortel went wrong in their response and how similar problems might be avoided.
Although Nortel detected the intrusion fairly early on, their response was characterized as "inappropriate," in large part because the intrusions continued over a period of years. Many IT admins, however, don't have definitive plans of action in place that help signal when a threat is over and when business can return to normal. Pressure from upper management often puts a time crunch on getting systems back up and running and can result in some malicious software being left behind.
One key lesson to take from the Nortel incident is the need for containment--not just a quick wipe down of servers but actual containment, along with alert systems to notify admins if the problem re-occurs. In addition, seeking outside help--while not always preferrable--can not only bring the incident to light but garner assistance from agencies with greater resources. That Nortel's data was allegedly being sent to China means that the Canadian government might have been able to intervene and provide some measure of assistance, had the company asked for it.
Though protecting fully against an attack is never possible, the response to a breach is often as important as the breach itself, and for IT, the support of upper management is as important as developing technical processes in order to both stop initial intrusions and ensure that when a business comes back online, it can do so safely.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.