Content

Transparency: Operation Aurora

Google and Adobe garnered praise from many information security professionals recently after admitting their systems had been compromised.

Such transparency is commendable because it could prompt other companies to become more secure, said Patrik Runald, senior manager of security research at web security firm Websense. The fact that Google admitted it was a target, was a significant step, Runald said.

“If nothing else, I think it will help going forward because people will look at their own security and look at what they can do to protect themselves,” he said.

The attack, dubbed “Operation Aurora,” leveraged a previously unknown vulnerability in Internet Explorer to compromise systems at Google, Adobe and more than 30 other large companies. Google disclosed the hack in a Jan. 12 blog post. That same day, Adobe came forward and said it was one of the victimized companies.

“Transparency for our customers and partners was a key factor in Adobe's decision to go public with the information,” said Wiebke Lips, a spokesperson at Adobe. “This incident demonstrates the increased sophistication in today's malware design and attack strategies. It also serves as a reminder of the importance of multiple layers of security and the need to follow security best practices.”

Providing information about attacks can also help security vendors develop better products, said Chris Wysopal, CTO of application security firm Veracode.

“I'm all for as much transparency as possible,” Wysopal said. “When companies learn details and fix their own network, everyone else can benefit from that knowledge too.”

But public admission of attacks is rare, he said. Similar disclosures probably won't become more commonplace in the future because going public about such incidents could lead to a loss of trust from customers and business partners.

“There's a stigma that when you're attacked, you did something wrong,” Wysopal said. “In the physical world, if your store is broken into and burglarized, people don't keep that a secret. For some reason, it's different with cybersecurity.”

Victimized organizations could, however, contribte to the cybersecurity community by providing information anonymously through a third-party forensic company, he said.

“I hope we will see more disclosure from others going forward,” Runald added. “It will help in the big picture for sure.” – Angela Moscaritolo

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.