The information security world has been abuzz with extensive coverage documenting the fascinating story of anonymous vs HBGary. The hacktivist group anonymous targeted security company HBGary Federal after CEO Aaron Barr pursued a plan to oust its members to generate publicity and new business opportunities for his security company that was hemorrhaging cash and desperate to survive. The incident reads like a screenplay with intrigue and ties to current events such as Wikileaks scandals, so it would not surprise me at all if a hit movie was made about the happenings. Since HBGary Federal specialized in information security it is important to examine what went wrong and determine what type of information security learnings other businesses can learn as a result.
Information Security lessons your business can learn from the HBGary Federal information security incident:
- Overconfidence is a deadly sin in information security. HBGary CEO was overconfident in his abilities and that hubris led to his downfall. He was unwise to solicit the attention of skilled hackers and tempt them in a dangerous game of chicken pitting their freedom vs. his companies continued survival. Lay low and do not make boastful claims that might tempt skilled hackers to test your security.
- Don’t expect the same old attack method. Aaron Barr falsely assumed that just because his adversaries had primarily used denial of service attacks in the past that they would do so again. Instead they found much larger holes and compromised his company’s web presence and email service in the process. It is good to assume you know what your adversaries may do but in doing so you should assume the worst instead of the typical.
- Custom built does not equal secure. HBGary Federal had a custom designed web content management system but custom built does not translate to secure. Custom built systems do not have the benefit of wide deployment base where bugs are detected and corrected (for example the WordPress platform). It is for that reason that you must conduct your own detailed web site assessments if you are using a custom developed system.
- Sensible password strategies are a must. It is widely recommended that passwords for sensitive accounts such as corporate email or online banking should not be the same as more common accounts such as general websites. Failing to follow this advice can lead to bad results and increase your exposure to a simple account compromise.
- Social engineering is the biggest information security threat facing your company and the hardest to protect against. It is necessary to train all of your employees about the dangers of social engineering and perform periodic audits to assess your company’s vulnerability. Experienced HBGary Federal’s system administrators fell for social engineering attempts that occurred via the company’s compromised email system so that is a teachable moment that helps drive home the point that just because a request seems to be coming from a legitimate requester does not mean that the request itself is valid. It is important for employees to consider the normalcy of a request and its adherence to policy prior to performing an action vs. blindly performing it because it is coming from a legitimate user account.
This information is not being provided to further vilify HBGary but so that you can learn from their mistakes and improve your company’s information security program in the process.