Information sharing, at its core, is among the most effective ways to fight cyber crime. Plainly put, the saboteurs do it, so why shouldn't the very organizations that those adversaries seek to attack. Learning the details about a successful intrusion or attempted intrusion, such as the tactics used and who was behind it, can go a long way to help a peer prevent a similar fate.

There have been many successful law enforcement- and industry-led efforts, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC), to promote this type of collaboration among the good guys. But now, it seems, Congress wants to codify the sharing of data through the Cyber Intelligence and Sharing Act (CISPA), which is due for a full House vote on Friday. Sounds great, right? Not really. The proposal vastly overreaches, at the expense of Americans' coveted freedoms and civil liberties.

Make no mistake, CISPA is not SOPA, the anti-piracy bill that was squashed earlier this year amid an unprecedented outcry from critics, including some of the most well-known web giants, such as Reddit and Wikipedia, which went dark for a day to protest the measure.

But CISPA is a very dangerous proposal in its own right. You see, when the sharing of threat intelligence data becomes the sharing of people's personal data with our three-letter agencies (without judicial oversight), serious problems come into play, and a murky-language-filled bill that is meant help secure cyber space becomes an example of expansive and excessive surveillance on the open internet as we know it. As CNET's Declan McCullagh explains:

What sparked the privacy worries [about CISPA] -- including opposition from the Electronic Frontier Foundation, the American Library Association, the ACLU, and the Republican Liberty Caucus -- is the section of CISPA that says "notwithstanding any other provision of law," companies may share information "with any other entity, including the federal government."

By including the word "notwithstanding," CISPA's drafters intended to make their legislation trump all existing federal and state civil and criminal laws. It would render irrelevant wiretap laws, web companies' privacy policies, educational record laws, medical privacy laws, and more. (It's so broad that the non-partisan Congressional Research Service once warned (PDF) that using the term in legislation may "have unforeseen consequences for both existing and future laws.")

CISPA strikes me as another example -- cough, NDAA, cough -- of powers meant to stop the real criminal being turned back around on the people. Often, the justification for passing these laws amounts to nothing more than instilling fear over an unknown enemy, who, in the case of cyber, is some shadowy figure one line of code away from knocking out the lights from Boston to Bakersfield. For some context into how high the levels of fear mongering can reach, just read this U.S. House Committee on Homeland Security press release, issued Tuesday, for context.

Cyber threats are very real. Not so much the "cataclysmic" events that are designed to ruin "our way of life," as Rep. Peter King of New York would have you believe, but more likely the silent killers, like the commercially available exploit kits customized to steal bank login data, or the more stealthy espionage malware created to pillage trade secrets.

The intentions of legislation like CISPA -- and this perhaps is giving our lawmakers too much credit -- seems in the right place. Admittedly, threat information sharing is sometimes riddled with difficulties, including concerns over competition and legal complexities. Making the process more seamless is commendable.

But surely this can still be obtained without eroding the civil liberties and Constitutional rights of Americans.

Last weekend, I headed from Brooklyn to Manhattan with my girlfriend so she could get her iPhone fixed. Our destination was the Apple store, a hip and stylish three-story building in the Meatpacking District.

Surprising as this may sound, it was my first time ever at an Apple store. Within a few minutes, I became fairly convinced that nobody ever comes here to buy anything; it's merely a hangout, much in the same way the popular nightclubs in the vicinity are.

As expected, the Apple fanboys and girls were out in full force on this Sunday afternoon, so the place had its usual air of elitism to it -- at least that's the way my Windows and Android-using insecure self perceived the surroundings. I gotta admit, though, I've kinda gotten over my grudge toward Apple. That's because every time I've played with one of their gadgets, I've really enjoyed it, even though the only device I own from the House That Jobs Built is a busted iPod that I will toss out one of these days.

Still, as a security journalist, Apple and I have a tough time being great friends. And that was only compounded when I was making small talk with the "Genius Bar" dude who was troubleshooting the girlfriend's phone. I asked him if he thought Macs needed anti-virus protection. He, without hesitation, responded no.

Cue a few days later, and Apple is facing possibly its largest outbreak of malware in its history, with news that the dangerous Flashback trojan has contaminated some 650,000 Macs, many of which are located in the United States.

In my mind, Apple -- the richest company in the world, remember -- has failed on two levels here. For starters, it was abysmally late in pushing its own update for Java for Mac OS X, even though in mid-February, Oracle, which owns Java, fixed the vulnerability that is allowing Flashback to spread.

You see, Apple insists on releasing it own patches for third-party products. And Flashback is known for disabling built-in Mac OS X defenses, so any attempt at security that Apple already had in place wasn't going to help out.

The second problem is security communications. Over the last several years, I can count on my fingers the number of times a PR person from Apple responded to a query from me. Maybe SC Magazine isn't big enough of a name when considering the publications that fawn over Apple's products, services, (and stock price), but is that really an excuse? Or maybe Apple just likes to stay true to its "security code of silence."

But one would think that, in the case of a malware outbreak, Apple might prefer to get ahead of the story by providing, at the very least, some user guidance. After all, viruses on Macs are likely a new concept for most Apple users, so they may actually need some help dealing with them.

In the end, I guess not much changes in three years.

Maybe Flashback will give Apple the wake-up call it needs. Only time will tell, of course. Don't forget, Apple still makes up only a fraction of the world's operating systems. 

In the meantime, I wonder if I head back to the Apple store tonight if that air of elitism would seem a little less dense.

Perhaps If Sony knew now how Anonymous would react to the electronic giant's legal pursuit of accused PlayStation 3 hacker George Hotz, it would have looked the other way.

If Bay Area Rapid Transit (BART) knew that its decision to temporarily cut mobile service at four of its stations would result in naked photos of its communications director appearing online, it may have kept the web up and running for commuters.

And if handbag-maker Coach knew that its support of the very controversial Stop Online Piracy Act (SOPA) would result in a group called UGNazi hijacking its DNS records to divert traffic elsewhere, maybe it would have kept its focus on satchels and clutches.

Sony, Coach and BART are just three names on a laundry list of recent "hacktivist" victims -- one which has been steadily growing over the last 12 months. As social movements such as Occupy Wall Street take hold on the streets to protest corporate and government wrongdoing, groups such as Anonymous seem to be guarding the cyber skies in the name of exposing and embarrassing its targets.

Within the security industry, much has been made of the new risk that hacktivism poses to organizations. So while organizations work to better equip themselves with the people, processes and technology to defend against this threat – all great measures, certainly – they may also want to consider an additional, and perhaps far simpler, tactic: conversation.

Hugh Thompson, the program committee chairman of the RSA Conference and an adjunct computer science professor at Columbia University in New York, thinks it makes sense for companies to, at the very least, weigh the consequences of their business decisions and practices as they face this new hacking phenomenon.

Last week, I chatted with Thompson about hacktivism, and he told me that organizations must adjust their security model to become more adaptable and nimble in the face of today's attacks. That means accepting that failure will happen and becoming more agile and competent in responding, all within the context of risk.

But decision-makers may also want to consider who they're going to tick off when they decide to do something, he said.

I agree.

The corporations and government agencies targeted by the likes of Anonymous and LulzSec wield tremendous power, so it's hard to believe they would ever publicly cower to online activist attacks, which often fall into the illegal category, I should add.

But they might become more proactive in their corporate strategy, at least. After all, in Sony's case, it was ultimately hit more than a dozen times, millions of users were impacted, its leaders publicly apologized, and it certainly suffered reputational harm, particularly when the PlayStation Network was offline for weeks. Even when it knew they were coming, Sony couldn't stop the hacks. It still can't.

"Maybe if it was today, [Sony] would have decided the other way," Thompson told me, referencing the Hotz lawsuit.

"The scope of security has to expand," he added. "The company really is in this ecoystem. Security is a huge function of targeting, as opposed to what you have done to defend your organization."

In other words, if you're not a target, you're probably in much better shape. That's not to say anyone should ever be forced to walk on egg shells – capitalism has dealt with its fair share of blows lately, but it still remains the foundation of our economic system. And some choices an organization makes just aren't going to be loved by everyone (or Anonymous). That's a fact of life.

But if having these boardroom conversations means an organization like Monsanto, for example, which was hacked last year by Anonymous, will become a more compassionate, principled and ethical player in our world than it currently is, I'm all for the shift in corporate mindset that may result from the threat of hacktivism.

Color me skeptical for now. The power elite are a difficult bunch to win over.

(updated below) 

A bulletin released this week from the U.S. Department of Homeland Security, which implies that the hackivist group Anonymous may be interested in crippling critical infrastructure (think electric grids and oil-and-gas refineries), strikes me more as a move to discredit and undermine the collective rather than warn of any actual danger.

Earlier this week, as expected, plenty of press picked up the story, obediently reporting the news despite the scant evidence and lack of on-the-record government sources. (Which is how most government news is dispensed for public consumption, by the way. I've been guilty of this many times myself.)

In my eyes, this seems to be another step by U.S. officials, without exactly coming out and saying it, to label Anonymous as a cyber terrorist organization, bent on indiscriminate destruction of digital property and infrastructure.

And I don't think that's fair.

"The information available on Anonymous suggests they currently have a limited ability to conduct attacks targeting [industrial control systems]," the bulletin read. "However, experienced and skilled members of Anonymous in hacking could be able to develop capabilities to gain access and trespass on control systems very quickly."

"I don't believe it's fair to characterize Anonymous as a group dedicated to sabotaging the very resources...that Americans rely on to survive."

Certainly, I won't defend any of the alleged actions Anonymous has taken that are illegal. Organizations have a right to keep their personal property out of the hands of hackers, and Anonymous, if its claims are to be believed, has broken the law on a number of occasions in the past.

But, I also don't believe it's fair to characterize it as a group dedicated to sabotaging the very resources, such as oil-and-gas pipelines or water and sewage treatment plants, that Americans rely on to survive.

If anything, given its dedicated support to the Occupy Wall Street movement, it seems Anonymous cares much more about the average person than you might be made to believe – certainly more than some of our lawmakers have shown, who are, on most occasions it seems, more subservient to lobbyists and corporate donors than their own constituents.

In its bulletin, DHS produces, as evidence, two examples of "Anonymous' interest in control systems." One is the group's launch this summer of "Operation Green Rights presents: Project Tarmageddon." The project opposes the development of the Alberta oil sands because of environmental concerns. Anonymous named crude manufacturers Exxon Mobil, ConocoPhillips, Canadian Oil Sands Ltd., Imperial Oil and oil financier the Royal Bank of Scotland as targets.

The other is, are you ready, a tweet from a "known Anonymous member" that included the results of recon he or she did into a directory tree of Siemens software.

Exactly who *isn't* probing SCADA systems these days? It certainly was a very hot session topic at the recent Black Hat conference in Las Vegas, and has caught the eye of researchers so much that the government has set up a clearinghouse for control system vulnerabilities.

Which reminds me: I'm waiting for DHS to publish a warning based on a potential real critical infrastructure issue that popped up just yesterday -- evidence that the Stuxnet authors are back with new malware. I'm sure the bulletin will arrive any minute now.

So why would the government want to paint Anonymous in this way? Well, that's pretty simple to answer. The group has made no qualms about its distrust of the powerful and elite, and has taken steps to expose corruption through hacks and to silence its enemies through distributed denial-of-service attacks.

Thus it's in the government's best interest to stamp the group as some purposeless band of radicals, much in the same way you can't blame the Department of Justice for going after whistleblowers like WikiLeaks, which published a trove of documents cataloging a number of atrocities, including the deaths of innocent Iraqi civilians and detainee tortures at the hands of U.S. and ally forces.

Yes, Anonymous is amorphous and leaderless, with splinter elements, and there is no conclusive way to know what exactly its goals are. But some of the more reliable Anon Twitter accounts that I follow for news about the group don't seem to be mentioning anything about hacking these days, never mind infiltrating industrial control systems. In fact, the group seems to be devoting a good chunk of its energy to the Occupy Wall Street protests, which have spread to scores of cities in this country and around the world.

Remember all those breaches we read about in spring and summer? Well, ever since OWS began, it's like they all stopped in the name of a bigger cause.

I think a tweet on Tuesday from Anonymous was pretty telling of where its motivations currently lie.

Here was the group's apparent response to the DHS bulletin: "Anonymous should issue a warning to the public against the DHS, FBI, etc. related to gov't efforts to subvert freedoms in the USA."

Of course, I'm not here to deride the DHS, either. I think issuing alerts such as these can have a benefit, especially when they come with advice.

"Asset owners and operators of critical infrastructure control systems are encouraged to engage in addressing the security needs of their control system assets," the bulletin concluded.

I think that's something we can all agree on. But in the case of Anonymous taking down critical infrastructure, I don't think we should "expect" them there.

UPDATE: I was interviewed about this story Friday on RT's "The Alyona Show." Video here: http://www.youtube.com/watch?v=KWy1MtOiQT8

Apparently, my call 18 months ago for more transparency and openness around security incidents largely has fallen on deaf ears.

At the time, I was writing to protest the firing of Bob Maley, the former CISO of the state of Pennsylvania, who received a pink slip after revealing details – too many, apparently, in the eyes of his bosses – about a compromise that affected a government agency in the Keystone State. I wrote:

In 2010, remaining mum, or too close to the vest, about incidents benefits nobody. Every organization in the country is being probed on a daily basis. Vulnerabilities are going to be there. Hacks are going to happen. Data is going to be exposed. The criminals are going to be one step ahead. Let's move on from this prevailing wisdom that any one organization is immune from attack. 

But there's been little to no advancement on this front, at least from what I've seen and heard. If anything, we've taken steps backward.

Case in point: Harvard University. The college announced this week, in a brief statement, that its website was defaced by "sophisticated" attackers. Then it went into defense mode by, in essence, saying there was nothing it could do to stop the adversaries.

"Recent months have seen a rise in frequency and sophistication of these attacks, with hacking groups increasingly on the offensive and targeting news media, government and education websites," a Harvard statement said.

A university spokesman declined to offer details as to what made the attack or attackers sophisticated.

I can't claim to know the specifics, but I don't normally associate "sophisticated" with a site defacement, do you? (To put this incident into some context, it doesn't appear as if any data was stolen, and who wastes a zero-day vulnerability to scrawl some threats on Harvard's home page?)

Since when did a defacement become an advanced persistent threat (APT), not that an APT is even an APT most of the time.

I have to believe that Harvard, instead of accepting blame for lacking security measures that should have prevented such a seemingly simple attack, leaned on recent headlines to save face. 

Harvard's decision to basically say, "There was nothing we could do. Sorry. Maybe next time," is not a particularly shortsighted PR move. After all, most people wouldn't know the difference between the skill level required to perform a defacement versus that needed to create the real deal.

But this PR tactic certainly has lasting ramifications for the security of the internet. Not only did Harvard not release any specifics about the attack – the bad guys share information, why can't we? – but it also attempted to exonerate itself by citing "sophistication."

Nothing will ever improve if organizations keep doing this every time they are breached. Security will continue to suffer, and lawmakers, who are just as susceptible to accepting myths of unstoppable attacks as any non-IT savvy citizen is, may overreact, changing the internet as we know it.

Ultimately, though, I think I'd be satisfied if a CISO who experiences a breach came forward and simply said: "We messed up. We'll do better next time."

Apologies can go a long way, you know.

Each winter, when the Ponemon Institute releases its annual "Cost of a Data Breach" study, we are reminded of the financial and reputational damage that a data-leakage incident can deal a victim brand.

This year's study found that breaches cost organizations $7.2 million on average in 2010. Business-related costs, such as customer loss and decreases in employee productivity, account for the largest proportion of total breach expenses. Other cost areas result from detection or discovery of the breach, notification and response activities to help victims.

Yet despite this, many of the companies that have experienced massive breaches in recent years (think: TJX, Heartland Payment Systems, Epsilon, and Sony) all seem no worse for the wear. Sure, stock prices may have taken a brief hit, or losses may have piled up due to certain factors, like paying for identity protection for customers. But by and large, big-name organizations that have been compromised of, in some cases, tens of millions of credit card numbers, have stuck around and even flourished. This video on The CMO Site, while short on statistics outside of a couple of anecdotes, makes a relatively compelling argument that breaches cause no lasting damage to brands.

Perhaps credit is due the sheer size of these companies, that they are financially healthy enough to overcome breach-related fees or a percentage loss of their customer base (Ponemon has pointed out that post-breach churn rates hover near 4 percent). Or maybe customers have become increasingly desensitized to hacks. They receive so many notification letters in the mail, how can they possibly take their business elsewhere, when, chances are, the alternative will be compromised too at some point?

Are breaches simply a part of doing business?

Not so fast. Just when you thought a brand will bend, but not break, in the wake of a breach, look no further than DigiNotar, the Dutch-based certificate authority that went bust a mere three weeks after admitting that its systems were infiltrated to issue counterfeit SSL credentials.

Of course, DigiNotar is different than, say, a traditional retailer. Not to mention it is in the business of security. But a company is a company. And the minute people stop trusting you – quite literally in DigiNotar's case – doom is on the horizon.

So let this case be a wake-up call that information security must be valued as a business-enabler. And if it's forgotten about, it could be a business-ender.

• Conspiracy theories are running rampant after Riley Hassell and Shane Macaulay, two researchers with Privateer Labs, didn't show up for their planned (and highly anticipated) 10 a.m.Thursday talk at Black Hat: "Hacking Androids for Profit."

The presentation promised to reveal "new threats to Android apps and discuss known and unknown weaknesses in the Android OS and Android Market," according to the Black Hat program guide. Audience members sat and waited for several minutes, as the person scheduled to introduce the researchers asked if anyone knew a way to contact them.

While some speculated that the pair may have had too much to drink the night before – Black Hat is known for its rowdy parties – a spokeswoman for the conference wasn't letting on. Nico Sell did say the pulled presentation was not related to any legal threat, as has been the case before.

"It happens," she said of the talks when the speakers simply fail to show. "DEFCON (Black Hat's sister show), more."

• The security industry's version of the Oscars, the offbeat Pwnie Awards, were announced Tuesday night.

Awards were handed out in categories ranging from "Best Client-Side Bug" to "Most Innovative Research" to "Lifetime Achievement."

But the evening climaxed with announcements of the winners of "Lamest Vendor Response" (RSA after its SecurID breach), "Epic 0wnage" (Stuxnet) and "Most Epic FAIL" (Sony).

Sony received all five of the nominations in the "Most Epic" category. Lulz.

Find the list of winners here.

• Black Hat representatives expected more than 6,000 people at the 15th annual installment, which would be up from last year, though official tallies were not available. 

Introducing the show on Wednesday morning, conference founder Jeff Moss said this year's attendee pool covered a swath of nations around the world, with the United States, Canada, the U.K. and Sweden leading the pack.

Moss said he wants audience members to take what they learn from the presentations to highlight the need for business leaders to more closely collaborate with security teams at their organizations, especially as we live in a new era where compromise should be assumed.

"But if you only call us after the house is on fire, you have very few options," he said.

Moss underscored the need for events like Black Hat, one of the rare forums for the good guys to openly discuss the reality of the modern-day threat landscape.

"They're one of the very few people who are talking about what's going on," Moss said, adding that vendors often have limited insight into the motives of the attackers.

• With Black Hat winding down, attention now turns to the less formal, even more unpredictable, DEFCON event, held for the first time this year at the Rio hotel.

SCMagazineUS.com reported on Monday that the National Security Agency will be on hand to recruit hackers at the $150-cash-only event.

But there's at least one person who argues that attendees should stay far away from the men in suits.

DEFCON is known for allowing attendees to remain anonymous at the show. Event registrants don't even ask for a name.

So it's no surprise that two of the security industry's most nameless (and bitter rivals) are supposedly on hand. 

We've known for some time that one of the key tools in the cybercriminals' arsenal is social engineering, namely the ability to make their scams look legitimate by capitalizing on the trust users have in well-known brands.

It's known as "brandjacking," and it's been happening for years in phishing attacks, where high-profile companies like Bank of America and PayPal are routinely used as bait to either siphon personal information from unsuspecting individuals or to drive them to malware-serving websites.

We've also seen it in rogue anti-virus campaigns, where criminals leverage reputable brands, such as Microsoft, in order to trick users into paying for and installing a fake product that does nothing more than make you $49.95 poorer.

They say imitation is the highest form of flattery. So, in that regard, these companies whose brands are hijacked should give themselves a pat on the back for being an established and dependable name. But they also should be concerned, as being associated with any criminal undertaking can have a negative impact on one's reputation.

And that is exactly the boat SC Magazine finds itself in right now. Thanks to the always-shrewd detective work of Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham, we've learned that our well-respected brand is being used as part of a new, largely undetectable rogue AV scam. (Scroll down for the image).

Apparently, the crooks are trying to peddle their fake anti-virus program with the added "selling point" that it was a 2011 SC Magazine Awards finalist. Such a claim is, of course, patently untrue, and it's nothing more than a ploy to increase the hoax's legitimacy.

But it's still a bit unnerving.

"We knew IT buyers around the world look at SC Awards as barometers of the best in today's security, but we were a little surprised to find the bad guys using it to try to trick people," said Illena Armstrong, SC Magazine's editor-in-chief.

But the reality is, hackers will stop at nothing to spread their wares, as we've seen with recent Facebook cons taking advantage of such tragic events as the Oslo terrorist attacks.

The best lesson is to "think before you click," as this particular rogue AV scam was kicked off when users clicked a malicious attachment claiming to come from MasterCard.

Our job at SC Magazine has always been to provide you with the facts.

So, with that in mind, here is a list of the *real* SC Magazine Awards 2011 U.S. finalists. And (shameless plug), if you wish to get information on the 2012 installment and submit your entry, please visit here.

Stay safe out there.

-Dan Kaplan, executive editor

As if 2011 hasn't been interesting enough, given the sheer number of data breaches (CNET has posted a nifty chart), the next several days promise to yield even more stolen records, at least according to the latest dispatch from the hacker group LulzSec.

The collective, which has been all the talk of the security industry over the past several weeks since it launched its attack on PBS, announced later Sunday that it is hooking up with the Anonymous group, best known for its attacks on HBGary Federal, to launch "Operation Anti-Security."

The mission is to expose government and corporate corruption by way of stealing and leaking classified data.

"Together, we can defend ourselves so that our privacy is not overrun by profiteering gluttons," Lulz Security wrote. "Your hat can be white, gray or black. Your skin or race are not important. If you're aware of the corruption, expose it now, in the name of Anti-Security."

The call to arms is a testament to how unpredictable LulzSec has been. Just a few days ago, it was leaking the usernames and passwords of pornographic subscribers, was asking its followers on Twitter to call a phone number to suggest a candidate to DDoS, and was using its call center to flood the World of Warcraft support line. All for, as the group said, the lulz.

The fact that LulzSec is allying with the more established Anonymous gang, and asking for any outsiders to join in for a more principled cause, could be an indication that the group is losing some steam – especially in light of a series of alleged outings last week and over the weekend.

No matter their identities, and even if the LulzSec group was all apprehended by authorities tomorrow, one can't deny that they have changed the landscape. Members have infiltrated a number of high-profile websites, including those of Sony, the CIA and the U.S. Senate, with apparent stunning ease.

The question on some people's minds is: What impact do these "hacktivist" groups have on infosec as a whole?

There are two scenarios that may play out, as I see it.

1). Anonymous, LulzSec and whichever groups follow -- and we know there will be others -- significantly help to secure cyberspace, by catapulting data breaches into the mainstream and forcing all organizations to assess their security stance.

Tales of LulzSec conquests have escaped the traditional trade press ceiling and have found their way into the mainstream media with regularity. Surely, the budget decision-makers at various firms have seen the headlines and are well aware that they could be next.

Of course, containing these hackers is not easy. While the infiltrators, for the most part, appear to be using relatively simple means of gaining access (i.e., no customized malware), organizations are struggling to respond.

Ideally, what would result is a new way of thinking about cyber defense.

Jeffrey Carr, founder and CEO of Taia Capital, which specializes in cybersecurity countermeasures for corporate executives and government officials, wrote an interesting blog post Sunday where he challenged organizations to think like an attacker. Among his suggestions:

• Uncertainty and randomness favor the adversary, therefore defenders must implement components of randomness and uncertainty as part of a network defense strategy.
• Since it isn't possible to anticipate every type of attack, the defender must become a competitor to the adversary and continually attack his own system "in the hopes of finding heretofore undiscovered attacks" before the adversary does.

2). The second scenario that might play out is the government overreacting to the actions of LulzSec and, as a result, lawmakers enact stiff legislation that considerably limits the openness and freedom of the internet. Such a prospect was warned about in a paper written earlier this year by researchers at George Mason University.

Two other academics, Ronald Deibert and Rafal Rohozinski of the Munk School of Global Affairs at the University of Toronto, also addressed this possibility during a video I shot with them last week at SC Congress Canada. (We start talking about it at approximately the 3:45 mark).

LulzSec is certainly baiting the government to go this route, with its CIA and Senate infiltrations, and the latest rallying cry. And we might already be seeing the first signs of this overreaction already appearing.

**

I should also mention that the possibility exists that LulzSec is not who we think they are, but are instead, say, a government-hired band of digital assassins. Hey, the conspiracy theories are out there. And at the rate this year is going, nothing would surprise me.

In a perfect world, the legacy of 2011 and LulzSec will be that the web remained open and free, governments and corporations were held accountable when they did wrong, all organizations recognized that resilient security (and proper responses in light of a breach) are merely table stakes for doing business, and hackers who victimized the innocent were brought to justice.

A guy can dream, right?

There's an old adage in sports that defense wins championships.

When I hear this phrase, I often think back to the 2001 Super Bowl. From what I can remember of that night -- I was a senior at Syracuse University at the time, and the $1.50 Labatt Blues were definitely flowing, so cut me some slack if I'm a little fuzzy on the details -- I'm fairly certain the relentless D of the Baltimore Ravens made mincemeat of the New York Giants.

It was a fairly boring game, and the Ravens were a fairly boring team all season long, but because they bent, yet rarely broke, while in defense of their end zone, they were the ones hoisting the Lombardi Trophy, not the hometown Boys in Blue.

I reference this memory not to reveal how drunk I was for Super Bowl XXV -- or how cheap the drinks were -- but because I think the outcome of the game applies to the information security industry, now more than ever before.

We've seen at least four major security companies -- HBGary, RSA, Comodo and Barracuda Networks -- fall to attack this year. And, outside of our industry, experts concede that most, if not all, of the Fortune 100 likely have lost intellectual property to hackers. 

Are we now ready to accept that some of today's malware is too sophisticated to detect, and vulnerable entryways within organizations are too prevalent to completely plug?

It's inevitable. The bad guys are going to get in. Actually, never mind, they are here already. Might as well offer them a Labatt Blue because, like it or not, they are crashing the party. They got their varsity jacket on, and they're eyeing the person you're interested in.

So what is there to do?

I've written before about the bane of compliance and its negative effect on the advancement of innovative security solutions. But I think the problem runs deeper than that. And a partial blame may lie with the culture we've created.

Thanks to heavily attended and widely publicized events, such as Black Hat, we have come to think of security researchers like rock stars – bestowing seemingly unending praise on them each time they discover a gaping vulnerability that can lead to devastating attacks.

That is in no way to cast aspersion on white-hat researchers. No doubt, their discoveries have led to more awareness about the weaknesses of the systems, platforms and underlying infrastructure on which we rely on a daily basis. And they expend countless hours doing the work they do.

But the problem is that there appears to be a gaping imbalance between offensive and defensive research that needs some closing. This has never seemed more evident than right now.

Marc Maiffret, the CTO of eEye Digital Security, raised this concern to me in a recent conversation. Maiffret knows a thing or two about being on the offensive side – he discovered many of the earliest Microsoft vulnerabilities back when he was barely old enough to drive – but over the years he has had an awakening, of sorts.

He said he grew tired of it. "I kind of got sick of it in a way, it got repetitive and I don't know if it's helping people," Maiffret told me.

The information security industry of today is much like the military industry, he said. where "it's all about who is creating the better and coolest missile." (Think HBGary Federal). Many of our industry's smartest minds are looking for the next way to break into a computer and not using their "talent and brainpower" to learn "how do we actually stop these things?" he said.

But we don't have to take this lying down. The security industry can – no, must – do a better job of creating defensive remedies that will limit the scope of the damage that "advanced persistent threats (APT)" cause and make the efforts of adversaries way more challenging than they would like.

Maybe that means security vendors providing more information about how exactly their products work, or maybe victim end-users need to do a better job of communicating what methods they used to repel an APT, or maybe that means solutions creators need to drop group-think and idealize outside of the box to create more innovative stuff.

Or perhaps that means making defense more glamorous and sexy.

Vegas, anyone?

"I've always wanted to do [a conference] that is the complete opposite of what you see with Black Hat," Maiffret told me.

Ray Lewis would probably agree. Let's just not go shooting anyone after.