Quis Custodiet Ipsos Custodes? (Who Will Watch the Watchers?)
Reading the news that VeriSign, the company responsible for delivering people safely to more than half the world's websites, suffered a series of breaches back in 2010 comes as no surprise.
Why? Because I think that we have entered a new era of cybersecurity; one where the objective is not to protect against a breach - it's not that I think organizations shouldn't try, just that I think the majority of large organizations are no longer able to - but instead to detect them and mitigate the damage done by them.
The fact that the breaches have only been made public because a Reuters journalist, Joseph Menn, found the company's disclosure in a quarterly US Securities and Exchange Commission [SEC] filing should worry anybody that has a .com, .net or .gov domain.
It proves that the new guidance from the SEC works - but the fact that the breach was not immediately disclosed means that critical data MAY have been compromised, without its owners realizing that the risk had increased significantly.
To their credit, it appears VeriSign acted quickly once it became aware - but reports indicate that staff waited a year before alerting senior management.
Perhaps the most worrying aspect of the story is that senior executives still don't know exactly what happened, and what data was stolen.
While it is likely that VeriSign has all of the right tools in place – end-point security tools, a traditional SIEM, a netflow analyzer, etc. – it appears unable to make sense of the data.
As a CISO, I once had to face my board to explain why my organization had been hit by the SQL slammer worm back in 2003 (long before situational awareness tools were available); I can only presume that attempts to do get answers were the reason for the 12 month delay.
Verisign aside, the story raises a much more important question. It is one that I wrote about more than three years ago in a piece authored for Risk magazine entitled, ‘Quis custodiet ipsos custodes?’ (Who will watch the watchers?).
If we can’t trust the guardians of the data at the heart of our new network-dependent economy, who can we trust?
Answers on a postcard please… alternatively, you can add yours in the comments section below.
Cross posted from The Situational Room