Before everyone gets entirely too excited about the FBI "chopping the head off of LulzSec" - can I add a pinch of commentary?
My friend Bill Brenner of CSO Magazine has the typically insightful headline "It's all fun and games until someone LulzSec's an eye" while FOX News has this headline splashed across the front page "EXCLUSIVE: Infamous international hacking group LulzSec brought down by own leader" - both of which make me wonder how many corporate security executives are reading those headlines thinking to themselves "whew! we can go back to not worrying about security again."
That last part is what I'm genuinely worried about.
Over the last year or so we've been inundated with progressively worsening headlines about LulzSec and Anonymous and their exploits to perform the hacker equivalent of "slash and burn," and I could visually see corporate security executives panic.
I watched them talk about it on panels, write about it on Twitter, and get quoted in various trade publications about how they needed to step up their security game to keep up with the rising cyber threats.
Now, if you read just the headlines, the threat is going away right? Of course not! Look, hacking and hacktivism isn't going to go away. This phenomena is like a classic hydra where if you "chop off the head" two more spring up in its place, and the threat continues.
What does the (reported) "capture of the LulzSec hacking team leadership" mean to the Internet? It means there will be a frenzy of jokes, outrage and sensationalism around this hacking group again. What does this (reported) capture mean to you in corporate security? Not a ---- thing.
Hacking, hacktivism and all things security threat related will not be going away no matter who is arrested, how many hackers are caught, or what the headlines read. This is the nature of threat, and for better or worse, the human condition. There will always be more, new, bad people.
I hope I'm not telling you anything you don't already know, but just in case I am, please heed this warning. Do not let your executives get lulled (or lulzed?) into a false sense of security just because there were positive headlines for a change. Continue to focus on smart risk assessment and remediation strategy.
Here are the Rabbit's 3 quick tips for avoiding hacker-capture-hysteria at the office:
- Don't allow your security strategy to be driven from headlines - this means that you can't use the headlines for the typical "oh no, hackers will get us, we need more money" silliness.
- Focus on your business, not others' actions - since no matter what you do you can't control others' behavior, focus on the things in your immediate purview - your business and the risk it takes on.
- Bigger hype does not mean bigger risk - just understand that.
Good luck out there, and while we take a moment to chuckle at the inevitable remember that this really doesn't change your day job of defending your organization.
- FBI statement on the arrests: http://www.fbi.gov/newyork/press-releases/2012/six-hackers-in-the-united-states-and-abroad-charged-f...
Cross-posted from Following the White Rabbit