Last week, while at the RSA show, I made a point of seeking out the HBGary booth; I had previously been aware of their good technical reputation through webinars. Booth #556 was there, but not HBGary. Searching online I then learned that they had pulled out after being hacked by Anonymous. This event was possibly the most significant at the entire show. After all, the company states that its Razor product is the "Most Powerful Weapon Against Today's Targeted Attacks". At first glance, that a security technology company gets hacked might be strange. But, then again, this is just confirmation technology does not secure data. People and process secure data, along with partners where needed. Technology automation can help.
The best review of the HBGary attack I have seen is at Ars Technica (www.arstechnica.com). What lessons can be learned from this?
1. Test your applications. The HBGary hack originated via a SQL injection attack. Guess what the #1 OWASP vulnerability is: SQL injection. Go back to 2005 when the FTC filed suit against computer forensics company Guidance Software. The complaint: loss of confidential information through a SQL injection attack. Maybe coincidence, but three HBGary executives came from Guidance. Again: test your applications.
2. Use complex passwords; use different passwords for each application. The next steps in the HBGary exploit included guessing passwords retrieved through the injection attack, and then using those to access other systems incorporating the same passwords. Since the 8 character passwords used by some HBGary executives included only lowercase letters and numbers, it was relatively easy for the Anonymous Group to guess those passwords using pre-computed Rainbow tables. Depending on the information being accessed, we need to make it easy for users to employ complex passwords using all 95 characters on the keyboard. Even worse, HBGary executives used the same 8 character password for other sensitive systems, thus exposing company emails and other sensitive data. While some people argue for short simple passwords...claiming that users will just write complex passwords on Post-it notes... the HBGary hack show clearly the risks of using passwords that can be guessed. It also shows that security rules need to apply to executives as well as to the rest of the firm employees.
3. Patch systems in a timely way. Another critical step in the hack was moving from user to administrator on a Linux support server. This was accomplished through a published vulnerability that had not been patched. Maybe this step in the hack was an exception. According to the 2010 Verizon Data Breach Report, none of the intrusions they investigated resulted from a patchable vulnerability.
4. Monitor Intrusion Detection systems. Although there is no mention of this in the Ars Technica analysis, we have to ask the question, who was monitoring the web server, email server and other platforms that were hacked? Each layer of HBGary's defenses had vulnerabilities. The only way to keep intruders out in this situation will be via monitoring and rapid reporting of incidents. This may be a difficult lesson to learn, since we all tend to rely on technical defenses as impermeable.
5. Train and retrain users about social engineering. One of the most fascinating parts of the hack was the email exchange between the Anomymous hacker and an HBGary user requesting Greg Hogland's user ID AND password. This was willingly sent over the Internet. The moral here is: never send this information without speaking directly to the recipient.
6. Carefully monitor your business partners. This incident spilled over to other firms, in particular the law firm Hunton & Williams. A number of the emails hacked at HBGary were to and from Hunton & Williams discussing the use of HBGary Federal security services. These were from H&W partners and never intended to be aired to the public. Ironically, H&W advertises itself on its website to "have an internationally known, superb team of privacy professionals at the firm who understand the maze of privacy and data security issues facing global companies." A lesson learned from this is: know who your business partners are, what data they have access to and work through risks to that data with them face to face.
In summary, good security is not about technical controls or architecture. It is about execution and monitoring of execution.
As Emmy Lou Harris sang: "C'est La Vie, You Never Can Tell"