Google and Adobe garnered praise from many information security professionals recently after admitting their systems had been compromised.
Such transparency is commendable because it could prompt other companies to become more secure, said Patrik Runald, senior manager of security research at web security firm Websense. The fact that Google admitted it was a target, was a significant step, Runald said.
“If nothing else, I think it will help going forward because people will look at their own security and look at what they can do to protect themselves,” he said.The attack, dubbed “Operation Aurora,” leveraged a previously unknown vulnerability in Internet Explorer to compromise systems at Google, Adobe and more than 30 other large companies. Google disclosed the hack in a Jan. 12 blog post. That same day, Adobe came forward and said it was one of the victimized companies.
“Transparency for our customers and partners was a key factor in Adobe's decision to go public with the information,” said Wiebke Lips, a spokesperson at Adobe. “This incident demonstrates the increased sophistication in today's malware design and attack strategies. It also serves as a reminder of the importance of multiple layers of security and the need to follow security best practices.”Providing information about attacks can also help security vendors develop better products, said Chris Wysopal, CTO of application security firm Veracode.
“I'm all for as much transparency as possible,” Wysopal said. “When companies learn details and fix their own network, everyone else can benefit from that knowledge too.”
But public admission of attacks is rare, he said. Similar disclosures probably won't become more commonplace in the future because going public about such incidents could lead to a loss of trust from customers and business partners.
“There's a stigma that when you're attacked, you did something wrong,” Wysopal said. “In the physical world, if your store is broken into and burglarized, people don't keep that a secret. For some reason, it's different with cybersecurity.”
Victimized organizations could, however, contribte to the cybersecurity community by providing information anonymously through a third-party forensic company, he said.“I hope we will see more disclosure from others going forward,” Runald added. “It will help in the big picture for sure.” – Angela Moscaritolo