Glass House Syndrome and the Security Industry
Image via Wikipedia
By now you have probably read about the hacking of Barracuda Networks website. Barracuda has also posted their official response to the incident via a blog post by Michael Perone, CMO of Barracuda. Another report came out shortly thereafter indicating that the attack was the work of a Malaysian group called, HMSec.
It appears that the information made public while embarrassing for a security company to have disclosed, was not financially in and of itself valuable. Of course any security breach at a security company could be damaging to their reputation and with that damage to reputation, could come financial loss.
However, lets be clear here. This kind of thing could happen to any of us. In my case it did. It was just three or four years ago that my blog and email accounts were hacked. But besides that, Barracuda joins some decent company. RSA, McAfee, Symantec, Comodo, Kaspersky and Google to name a few, have all suffered hacking attacks.
So this really is a case of it could happen to any company. Recently it appears that security companies themselves have been targeted by hackers. For that reason any company that would fault Barracuda for what happened here is really playing with fire. They may find themselves the next one in the glass house while someone else throws stones.
This point was brought home to me by the tweets I saw after this incident was originally reported. Josh Corman of 451 Group said he wasn’t interested in hearing from companies who would say this sort of thing would never happen to them. Mike Rothman and Bill Brenner agreed +1 and +1000. Martin Mckeay wondered why he didn’t already see marketing around this story.
Is that really the sad state of our industry? Are there people arrogant and stupid enough to stand up and throw stones at any of these companies that have suffered breaches, as if it couldn’t happen to them? I would hope not, but maybe I am wrong.
In the post from Barracuda they say that their WAF was inadvertently placed in passive mode and then shut down for a maintenance window. The inference being that had the WAF been up, this would not have happened. Of course there are some who in their best SNLChurch Lady voice say “how convenient”.
But really does it matter? If the WAF was up, but there was some spear phishing that gave the attackers a vector in, would you feel differently? There is no guarantee that you cannot be hacked. I don’t want to use the APT word, but no one, no one is 100% immune.
So if we really have members of our industry who would say this could never happen to them, shame on them. Pride is the deadliest of the deadly sins.
The only real lesson to be learned here is that it could happen to you or I or any of us. That is why we have to be ever vigilant and work as an industry to safeguard not only our own but the property of others as well.