MoneyWatch Tech

What Business Needs to Learn From the Gawker and WikiLeak Attacks [Updated]

By Erik Sherman

Updated on: December 15, 2010 / 11:00 AM EST / MoneyWatch

It's already been quite a week for cyberwarfare, and it's only Monday. Unknown people hacked into Gawker Media and claimed to have retrieved 273,789 user passwords, all because CEO Nick Denton issued a challenge to hackers to "bring it on."

In isolation, it would be a simple embarrassment for Gawker. However, combine that story with the unrelated attacks by hacker activists in support of WikiLeaks, -- Amazon's (AMZN) European site went down, though the company blamed it on a hardware problem rather than hackers -- and you begin to see a pattern of what life on the Internet for businesses has become. Companies have been slack, not only in protecting their computer systems, but in fundamental information security as well.

Ignore the back door

Mediaite had an email exchange with Gnosis, someone who claimed to be involved with the Gawker incident. Apparently, the company's protection was inadequate for ordinary probes, let alone a concerted effort by a group that felt it had been challenged:

We have had access to all of their emails for a long time as well as most of their infrastructure powering the site. Gawkmedia has possibly the worst security I have ever seen. It is scary how poor it is. Their servers run horribly outdated kernel versions, their site is filled with numerous exploitable code and their database is publicly accessible.

For those in management who don't understand the technical issues, Gnosis has essentially said that Gawker was unbelievably lazy, allowing known security weaknesses to remain on their systems, not even installing the updates that would have made a breach far more difficult.

Computers don't cure indifference

But securing computers and software is only one step, and that assumes organizations have taken the much more basic step of treating information as valuable. Often enough, they don't.

Just look at the federal government, which has been frothing at the mouth over WikiLeaks and its possession of about 250,000 classified diplomatic cables, a number of which have led to embarrassing revelations about government and corporate international activities. (And don't forget that WikiLeaks is rumored to have internal data about a large corporation and that former WikiLeaks personnel are starting a rival organization, OpenLeaks, to spilll yet more private information in public.)

All the lashing anger and blame, however, would be better turned in toward those who didn't find security important enough to implement and check, as David Scott, author of the book IT Wars: Managing the Business-Technology Weave in the New Millennium, notes. Who gets to download that much classified material without anyone knowing?

No one who isn't supposed to know, knows the formula for Coca-Cola. Or Pepsi-- but the State Department can't even cough up a flag when a Private First Class downloads over 250,000 classified documents. You know, something like,

We're sorry. In order to guard against data breaching, you are limited to access of 100,000 classified documents in a 24-hour period. Please try again tomorrow.
I'm being a little facetious -â€" but this whole situation begs credulity.

Forget government for a moment. Scott is correct in saying that no unauthorized person has the formula for Coca-Cola or Pepsi. (At least, we assume not.) But that is the rare isolated trade secret. Much of what corporations do, though, is spill all manners of confidential information without even realizing they are doing it. We're not even talking about inadequate security that results in the exposure of tens of thousands of social security numbers because some outsider management to break into a corporate data system.

Are you leaking your own data?

No, the types of information spills to which I refer happen because companies are sloppy. For example, nearly 10 percent of corporate laptops are lost or stolen during their three-year lifetimes, according to the Ponemon Institute in an Intel-funded study. The average cost of each device, because of the value of the data on them, was $49,000.

"We do a lot of research, and we see a lot of organizations are incompetent in protecting information assets," said [institute chairman Larry] Ponemon, speaking during a press briefing. "And laptop computers and small data-bearing devices are always at risk."

One step Intel (INTC) takes is to allow employees to put their personal data on laptops, because then they tend to be more careful. And, according to a study of UK IT managers by security vendor Check Point, only 40 percent encrypted their laptops. Being from different samples, the numbers aren't directly comparable, but they give you a pretty good idea of what might be going on.

Want an example of how sloppy companies are? Try searching for the phrase "confidential, for internal use only" on the web. In fact, it's such a classic mistake that Hulu put together a humorous marketing video in the style of its aliens-want-to-eat-your-brains Alec Baldwin ad campaign.

Confidential data on the open Web

Other examples are far less amusing. Here are some from the more than 32,000 that show up when you search for PDF documents only that have the year 2010 in them:

Action Fleet, which installs radios in public safety vehicles, put internal pricing of products from vendor Gamber-Johnson
SAS has a document called "SAS and Social Media: What's In It for Me?!?!"
Microsoft (MSFT) has a presentation on agile interactive digital marketing

For most people, the information may seem unimportant. But for a customer interested in an effective negotiation strategy or a competitor looking for insight into a rival's strategy, such scraps are valuable.

[Update: The author of the SAS document emailed me to complain that I was lazy because I didn't use his contact information at the end of the document to check if the presentation was actually confidential: " The only reason I can think of for you to consider this confidential is that the slide template itself says 'company confidential': we don't actually have a differentiation between internal/external slide decks, so all of them are embedded with that tagline." There are a number of obvious problems in this statement. If everything is marked confidential and a company admits it, then when really confidential information comes out marked as such, it gives anyone a clear defense in using it. "Your honor, how was I to know that this confidential confidential information and not public confidential?" When everything is similarly marked, it also becomes far easier to slip up and post what actually should be confidential. Even if this one document isn't confidential (although it's on the web and marked as such), it is clear evidence of a big information security problem at the strategic level in a company -- in this case, SAS.]

There are many examples of companies being sloppy:

Executives brag to the press about some activity to promote their own careers, but fail to check if the business might suffer as a result.
According to some expert sources, there have been times that companies have set up dummy conferences just to invite as speakers technical or marketing staff from their competitors, who are almost guaranteed to spill something of interest.
Some companies will post enough information on their web sites to give competitors a rough idea of their organizational structure and even the names of key employees who might be ripe for the poaching.
Public firms unnecessarily post enough details of their operations to let outsiders get a fix on revenue breakout, strategic weaknesses and strengths, detailed market breakouts, and other critical information.

The strategy you need
This type of exercise can go on and on. Instead, let's cut short that list and look at a different one: basic steps that smart executives will take in their business units and companies:

Develop an information policy, working with those who understand competitive intelligence and information protection, so that all security, releases of data, public relations, and other activity stems from a coherent strategy.
Develop a visceral understanding of how valuable information actually is. Stop from making the excuse that a few million dollars -- or even tens of millions -- is immaterial to a company whose revenue runs to the tens of billions. (And, yes, there are executives who make this argument.) A loss of the wrong information can badly damage or break a company.
Have outside security professionals do an audit of your current computer security. Be sure that the firm has advanced capabilities and does not provide other security services to you. Let experts on your payroll see how far they can get in before your competitors do. And don't forget testing physical security. Someone posing as a pizza delivery person can often get a surprising degree of access and can generally walk out unchallenged, no matter what is now inside that delivery case.
Train your people on a regular basis to pay attention to security and build the concept into business procedures.

It's not glamorous or fun, but information security is a must in today's world, because you never know when someone will target you.

Related:

Image: Flickr user CarbonNYC, CC 2.0.