Before the recent high-profile attacks by Anonymous and other hacktivist groups, it was difficult to get management’s attention on the need to fix security vulnerabilities, many of which have been around for a long time, Summers told the panel, which was moderated by Jeffrey Brown, PBS NewsHour senior correspondent.
“Josh Corman has a great line: ‘The Anonymous attacks hold up a mirror to our neglect.’ We probably all get a sick feeling in the pit of our stomach when we think about Anonymous probing the perimeter of our infrastructure because the things they are taking advantage of are DDoS [distributed denial of service], SQL injections, default password, and poorly configured patching….I don’t think any of us has seen a smoking zero-day that is being used by Anonymous to infiltrate our networks”, he opined.
“We know what the problem is and most of us know what the solution is, and we are finally getting the right level of attention on it at the enterprise level”, Summers said.
“In some boardroom, this is probably the first time that the words ‘information security’ are coming up. I find that there is a real gap in understanding between security practitioners and what the board is talk about”, he added.
Many companies are taking the risks from hacktivists “too lightly”, judged Eric Strom from the Federal Bureau of Investigation (FBI). “A lot of people think these are a bunch of kids goofing around. In reality, they are not. They could destroy a business.” He stressed that his agency has put a lot of resources into the problem of hacktivism.
Strom said that the FBI has been working with industry on this problem. The agency puts companies that have suffered an attack in touch with similar companies that might be targets in order to share advice and mitigation strategies.
Organizations that are likely targets of Anonymous should realize they are targets, observed Misha Glenny, author and journalist. “If you look at the targets Anonymous has gone after in the United States, they are all within fairly obvious sectors. If you are in one of those sectors, you are not going to have a data breach that you can cover up. You don’t have to announce that it has happened because Anonymous is going to announce it to the world for you”, he told the panel.
These sectors include law enforcement, IT security, financial sector, governments, and military. “As we’ve seen with Anonymous, a lot of it has to do with propaganda and a sensational message that they want to spread”, he said.