Don't get lulzed - 3 tips for avoiding headline hysteria

Before everyone gets entirely too excited about the FBI "chopping the head off of LulzSec" - can I add a pinch of commentary?

 

My friend Bill Brenner of CSO Magazine has the typically insightful headline "It's all fun and games until someone LulzSec's an eye" while FOX News has this headline splashed across the front page "EXCLUSIVE: Infamous international hacking group LulzSec brought down by own leader" - both of which make me wonder how many corporate security executives are reading those headlines thinking to themselves "whew! we can go back to not worrying about security again."

 

That last part is what I'm genuinely worried about.

 LulzSec_top.jpg

Over the last year or so we've been inundated with progressively worsening headlines about LulzSec and Anonymous and their exploits to perform the hacker equivalent of "slash and burn," and I could visually see corporate security executives panic.  I watched them talk about it on panels, write about it on Twitter, and get quoted in various trade publications about how they needed to step up their security game to keep up with the rising cyber threats.

 

Now, if you read just the headlines, the threat is going away right?

 

Of course not!

 

Look, hacking and hacktivism isn't going to go away.  This phenomena is like a classic hydra where if you "chop off the head" two more spring up in its place, and the threat continues.  What does the capture of the (reported) "capture of the LulzSec hacking team leadership" mean to the Internet?  It means there will be a frenzy of jokes, outrage and sensationalism around this hacking group again.  What does this (reported) capture mean to you in corporate security?  Not a ---- thing.

 

Hacking, hacktivism and all things security threat related will not be going away no matter who is arrested, how many hackers are caught, or what the headlines read.  This is the nature of threat, and for better or worse, the human condition.  There will always be more, new, bad people.

 

I hope I'm not telling you anything you don't already know, but just in case I am, please heed this warning.  Do not let your executives get lulled (or lulzed?) into a false sense of security just because there were positive headlines for a change.  Continue to focus on smart risk assessment and remediation strategy.

 

Here are the rabbit's 3 quick tips for avoiding hacker-capture-hysteria at the office:

 

  1. Don't allow your security strategy to be driven from headlines - this means that you can't use the headlines for the typical "oh no, hackers will get us, we need more money" silliness
  2. Focus on your business, not others' actions - since no matter what you do you can't control others' behavior, focus on the things in your immediate purview - your business and the risk it takes on
  3. Bigger hype does not mean bigger risk - just understand that.

 

Good luck out there, and while we take a moment to chuckle at the inevitable remember that this really doesn't change your day job of defending your organization.

 

 

Links

 

 

Comments
fak3r(anon) | ‎03-06-2012 10:38 AM

Great post, especially, "Don't allow your security strategy to be driven from headlines", I'd add to that, "Realize you're still not secure" and keep learning/improving/sharing with the community.

SecureTom(anon) | ‎03-06-2012 11:27 AM

Wh1t3Rabbit,

 

Nice post, but I disagree with the following:

 

"What does this (reported) capture mean to you in corporate security?  Not a ---- thing."

 

As the proverb says, “Better the Devil you know than the Devil you don't”. If LulzSec has been taken down, not only will another group pop-up like the Hydra you referenced, but security professionals will also have to be on the lookout for a new modus operandi from what ever the new group is and their desired targets are.

dash1b(anon) | ‎03-06-2012 01:56 PM

the old saying fits...LulzSec's dead.... long live LulzSec.  Great points WR! "There will always be more, new, bad people..."

LonerVamp(anon) | ‎03-07-2012 03:28 PM

Another way to look at this, as I actually tweeted in part: "I was hacked by a nobody, social outcast, misfit."

 

This wasn't some monolithic super hacker or even super hacker group. It wasn't what you traditional label as "APT." It's, roughly speaking, a bunch of kids (young people) screwing around and screwing with companies. They have an interest in hacking and some grey-shaded moral compasses.

 

This headline should be *sobering* and not a cause for celebration.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
About the Author


Follow Us
Community Announcements
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation