Sorry for the silly post title, but this situation is getting to be at least a little ridiculous. This morning I read an article entitled “Hackers Breach Tech Systems of Multinational Oil Companies” from the New York Times. I know it makes for exciting headlines to announce that some super-important network got hacked, but is it really news anymore? After all, the breaking news isn’t really the hack at all – it’s the fact that someone finally noticed and decided to report it. The actual breaking in probably took place weeks/months/years ago.
At this point in the evolution of information systems, given the current state of information security, we should all just accept the fact that every organization which has any data of value has probably already been compromised multiple times. This includes corporations, non-profits, and governments. I suppose the value of having this stuff in the news is that it brings security into the consciousness of the general public for a few minutes. But maybe they should start adding “As expected,” to the beginning of all such articles, rather than pretending to be surprised.
From a technical standpoint, I think more organizations need to start treating their internal networks as hostile environments. I know I’m not the first person to suggest this idea, and it’s the basic idea behind mitigating the insider threat. The difference is that these principles now apply not only to governments protecting national secrets, but to every meaningful organization on the Internet. It’s been several years since any reasonable security professional could recommend that you focus on protecting the network perimeter, especially given how porous and interconnected most modern corporations are.
Think of it this way. A determined hacker will get into your network. At that point, he becomes a malicious insider, even if the attack was initiated from the outside. Your incident response plan and team are critical. We can no longer design information systems with a hard, crunchy exterior and soft, gooey interior.
UPDATE: Another interesting perspective on this issue was posted by Marc Maiffret of eEye.