I usually don't cross-post from my Ashimmy.com blog to my Network World blog. But after what happened to security firm Bit9 today, I thought it was important enough to post this in both places. We should never forget that what happened here could happen to any of us.
“Two thousand years ago the proudest boast was civis Romanus sum ["I am a Roman citizen"]. Today, in the world of freedom, the proudest boast is "Ich bin ein Berliner!"... All free men, wherever they may live, are citizens of Berlin, and, therefore, as a free man, I take pride in the words "Ich bin ein Berliner!" ~ President John F. Kennedy, Berlin, June 1963
I, along with many of you, were horrified when we read Brian Krebs post today about security firm Bit9 being the victim of a hacking attack that distributed malware into their customers' networks, which was digitally signed by Bit9 themselves. Bit9 has confirmed this with a blog post of their own detailing what happened.
As you have probably read, it seems some of Bit9 assets were not protected with Bit9 software itself. They were compromised and allowed the perps to do their evil deed. As Jeremiah Grossman says in Brian’s article, obviously Bit9 was only the means to the end in this attack. By using Bit9 as a conduit into their customers, including some sensitive government networks and Fortune 100 companies, they were able to infiltrate, and we don’t know what the full results of that are yet. Nevertheless, this is probably every security company’s worst nightmare. When the security company becomes the risk, it is not a good thing.
Shortly thereafter, I started seeing posts on my Facebook timeline from friends in the security business putting up memes with things like “Why the F*^k is my security vendor sending me digitally signed malware”? But I am sure the Bit9 folks are asking themselves the same question. In fact, as my friend Don Macvittie said in a comment on one of those memes, it is a bad day to be over there.
How right Don is. It is a bad day to be at Bit9. I have friends who work there. My heart goes out to them. This is not the first time a security company has been hacked. It happened to RSA not too long ago and it has happened before that. Here is a news flash: it will happen again too.
In fact, it can and does happen to any one of us. We are all one step away. Part of being in the security profession is that we are high-profile targets for hackers to make a statement. I know this firsthand from when I was hacked years ago. It really can be anyone of us. There is no joy in security-ville about one of our own being subjected to this.
I am sure there will be salespeople at competitors of Bit9 who will try to move on the Bit9 customers by leading with this story. I say a pox upon them. Anyone who stoops to such tactics to make a sale are beneath the standards that should be acceptable in our industry.
The security industry has matured over the years. At least I hope so. At times like this we should close ranks as an industry. We should say as John F. Kennedy said back in 1963. On days like today we are all Bit9ers. That is the message that we should send as industry to the type of people who do this. We stand together and are more committed then ever to stopping these criminals from committing this kind of cybercrime. On this day, the security industry should stand and say “Ich bin ein Bit9er."
As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.
Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan is now also a regular contributor to The CISO Group’s security.exe blog and podcast. Follow him on Google.
Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.
Disclosure: The CISO Group sells a software-as-a-service PCI compliance application called SAQPro. The company is independent and does not represent any other vendor's products as a reseller.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited.