Understanding the apathetic response to a cyber attack

  Anyone who knows me knows I'm a big fan of MMA, and the UFC in general.  So when over the weekend the UFC website was 'hijacked' and attacked by a group calling itself the "the Underground Nazi H4ck3rGr0up" (Google their site yourself, it's not really that hard) over their support of the SOPA/PIPA proposed anti-piracy legislation... the most interesting thing to me, anyway was the response from Dana White who is the president and owner.  As of this writing, the UFC.com website is still hijacked... and pointing over to some search-jacker domain so be careful.

  As per the usual, Dana White was on Twitter replying to people, amongst whom was clearly some of the folks who were attacking and hijacking his site... what's interesting is Dana's response.  I'm referring specifically to this particular reply:

"@masontbell9 nice fake account. Hacking the site is not a big deal dummy. We are not in the website biz. Today was a great day!!! Pats!!!!"

  Think about White's reply for a second ...and how many of you have gotten this exact reply from your management.  Dana's business is the UFC, and the fights and he clearly understands that.  But what about the website?  I think there's some subtleties here that are both misunderstood, and unfortunately the reality of business - let's analyze...

Websites aren't our business...

  Look, Dana's right.  His business is the organizing and promotion of the UFC fights.  Secondary to that business is the merchandising and other aspects of the UFC - but that probably is a significantly smaller portion of the overall company revenue.  Now where does the UFC.com website figure into all this?  Sure, it's the web home of the UFC, and people probably hit it a million times a day to get the information on upcoming fights, video clips and such ... but at the core of the question is does the website make Dana White money?  Judging by his response (NSFW) to the hack - the answer is probably "not enough for him to care a whole lot".  This is interesting.

  I can tell you that board rooms everywhere are filled with executives who don't make the company's profit on their corporate website, or websites, and probably care very little about the security thereof.  In spite of what the security professionals at their organizations say, they're probably more concerned with things that they can understand and directly connect to their direct bottom line, profit and loss, etc.  A corporate website just isn't that ... important ...because it's not your core business.  Ask yourself if your website got hacked like Dana's what your management would say... I am willing to bet a good many of you reading this would get the same response akin to "oh well".

  It's important as a security professional to understand where that "oh well" reply comes from.  The core of that response is rooted in the response to the following question:

  " Does this web site hack/attack cause the company a serious negative financial impact? "

  If the answer is no, then you're not going to get much support for a security response, or additional precautions, and you need to make your peace with that.

Missing a subtle point

  As much as I sympathize and understand Dana's response, I think he makes it without fully understanding the implications of the attack to the UFC.  Undoubtedly the UFC will not lose its fans because the website is down ...or will it?  My source of UFC-related information is an occasional (weekly) visit to the website and if its down I have to find an alternative resource for information.  Now, being a true fan I know there are a multitude of other sites to get UFC information from ...but the casual, or new prospective fan may simply be turned off and away.  This is a very real threat to the fight business from a hacked website.  I'm not saying the sky is falling, nor should the response be disproportional to the threat - but it shouldn't be ignored.

  Your corporate website being DDoS'd, hijacked, defaced, or otherwise attacked is a reflection of your business.  Much like if your retail store-front was smashed and graffiti'd up - that would negatively reflect on your business.  Putting up a website these days carries a responsibility because the visitors to that website are seeking information from you - and if they get trojaned, or hijacked themselves they will likely blame you.  What's worse is that these types of events tend to carry a long-arcing memory with the public.  Looking around at some of the other websites that have been 'wiped out' or DDoS attacked ...this is a big deal.

Not all attacks are equal

  Something to keep in mind too ... while this attack seemed to be aimed at re-directing UFC.com traffic to some other site to steal their links and potentially embarrass the UFC company, this is far from what we would normally consider an attack or hack of a site.  In most cases like this, the actual system gets infiltrated and critical data stolen.  Would Dana's response change if UFC.com was an ecommerce site and all of his credit card records or customer information was stolen?  Would that "it doesn't matter" still hold?  Probably not - because at that point it would be real dollars and money at risk.

  There are subtle differences in how attacks are carried out, and what the targets are, including collateral damage and sustainability of the attack along with public backlash or outcry.  Some points to consider...

• Did the attack garner sympathy for the attacker or the victim?
• Did the attack cause real damage to the victim?
• How badly was the public (or customers, visitors, users) impacted by the attack?
• Is the attack recoverable, and with what certainty?

I don't know if my response would have been any different than Dana's, at least publicly.  To be honest, you don't even want to give your attacker the notion that you acknowledge their effect on you and your business.  You also have to balance your response with temperance to prevent further provocation of the attacker in order to not escalate the situation any more.  It's an ugly business, the public side of being publicly attacked...

  I think the big take-away here is the "#SecBiz" lesson that business that do not rely upon their websites to sustain the business simply don't care that much about the websites... even if they get successfully attacked, and that's a fact of life.  As security professionals it's our job to understand the impact of an attack on the business and respond with tempered, contextual understanding so we're not Chicken Little.