The story with all the interesting details about how security company HBGary was hacked earlier this month, published by Ars Technica last week, has made quite some noise with people concerned about IT security. It is a perfect – by the book – example of how to find and use weaknesses in a security system to bypass it.

In short, what happened is the following: the CEO of HBGary Federal wanted to increase publicity around his company by exposing the real identities of the leaders of a well known group of hackers called Anonymous. For this he infiltrated into their IRC chat rooms and researched profiles from social networks like Facebook, LinkedIn or Twitter. When he thought that he found what he was looking for, he started to make noise about his achievement by publishing articles on newspapers, setting meetings with FBI and revealing his true identity to the Anonymous. This made the group of hackers very angry and their response was devastating for HBGary, which had its servers broken, email messages published on the Internet and websites hacked. Additionally, the results of the research that generated all this trouble were revealed as not reliable.

The next, equally bad or even more disastrous, hit for HBGary were the details from the story presented by Ars Technica. Anonymous revealed how they managed to bypass their security. And what is shocking is how easy it seems to be to penetrate the security of the company that is, after all, an expert in security.

The story raises a lot of questions:

  • Why was their security so weak? Aren’t security companies supposed to know how to defend against these types of attacks?
  • Would have better security really saved them? Or would the attackers have adapted and used more ingenious ways to get in?
  • How likely is this to happen to a small or medium-sized company? While you can imagine it happening to big players like Microsoft or Google, can it happen to small companies that did not upset the “wrong guys”?
  • How prepared are companies for targeted attacks?  How many of them would remain standing after such an assault?

An important thing to mention is that the standard suite of security software (firewall, antivirus, antispyware, anti-spam, anti-phishing, patch management, etc.) does a decent job to stop 99% of the attacks: non targeted ones – the pieces of malware that are randomly scanning the Internet for vulnerable machines and infecting them, the emails with malicious attachments or those pointing to dangerous sites, the sites that simulate well known services to trick you and get your passwords, etc. They are indispensable for targeted attacks too, but here things are much more complex and they are far from being enough.

What can be done to ensure well enough security? (Well enough is the maximum you can get, there is no such thing as a perfect security system.)

It is extremely important to keep the security system defenses aligned with the potential damages that a security breach will cause.

For a small startup that is still in its early stages with just a few computers it usually makes no sense to invest massively in security. This is not only because the costs will kill the business faster than any hacker, but also because the company simply doesn’t have enough valuable assets to make the effort worthwhile. However as the company starts to have a history, they also start to have more and more sensitive data: financial data, customers’ and partners’ data, development strategies, etc. Now it becomes more dangerous to lose data or to have confidential data stolen.

The key is to keep the balance between security enforcement and the risks that usually increase over time, and this is the point where a lot of companies fail. Some common reasons for this are:

  • The company is not aware of the risks simply because they don’t have the necessary expertise to evaluate them.
  • The risks are underestimated. In this case the security enforcement is seen as an unnecessary cost.
  • The company is aware of the risks and their efforts in the area give them a false sense of security, while they actually have a problem in applying policies.

Usually a security incident is what makes these companies realize where they really stand.

In the second part of this series I’ll talk about what happened to HBGary and what we should learn from it.