The GlobalSign Breach: Security 101
GlobalSign, a firm that issues SSL digital Internet security certificates and related services, was embarrassed last year when a hacking attack knocked it offline for a week. Newly revealed, the cause of the security breach: A piece of open source software was not patched.
For IT managers at midsize firms, it is one more lesson in security basics. The lesson is not about open source. Evidently, a patch was available, but it had not been applied. A vendor patch, if not applied, is simply ineffectual. For all the popular mythology about brilliantly sophisticated hackers, most attacks could be prevented by the implementation of basic security.
Hacking attacks are never good news for any company, but they are especially awkward when the victim is a security firm. As reported by Zack Whittaker at CNET, that is what happened last year to SSL certificate firm GlobalSign.
A hacker with user name "Comodohacker" broke into the company's server and compromised its website, some consumer-facing documents, and the company's own certificate. GlobalSign was offline for a week, and after its return, it sheepishly noted that it had "learned much" from the attack. A company executive recently acknowledged that the breach was due to failure to update an unspecified piece of open source software.
The attack came only weeks after another certificate company, Netherlands-based DigiNotar, was breached; the compromised certificates including Dutch government sites. DigiNotar subsequently declared bankruptcy.
The full details of Comodohacker's exploit were not detailed, but the basic outline is enough to identify the nature of the security failure. An update was available for a software program, but the update had not been applied. And the failure to update left a security hole that Comodohacker was able to crawl through.
This is the story of most security breaches. Computerworld noted in March a Verizon study indicating that the great majority of hacking attacks--fully 97 percent--are rather simple. The victims could have prevented the breaches by implementing basic security precautions.
Many of these victims are midsize firms. But even if the companies have robust IT departments, basic security all too often gets pushed to the back of the queue. Top executives do not regard security (or even IT itself) as an obvious profit center. And they are not immune from the universal human tendency to think that mishaps will not happen to them.
For IT managers at these midsize firms, the toughest job is not updating software or performing other basic security functions; it is prioritizing these tasks when the front office is demanding that other things be finished yesterday. Pushing back against that pressure is not easy, but it is necessary.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us on Facebook. Follow us on Twitter.<hr class="header"/>