by Josh Arrington
This week’s IT security news coverage was shaped largely by the fall-out associated with Nortel’s 10 year data breach, which has now been attributed by some as one of the primary factors impacting the company’s ultimate downfall, some speculating that competitors were able to gain access to sensitive IP over the course of a decade. Here are several stories we think offer the best perspectives on the breach.
History of a Decade-Long Hack: According to the Wall St. Journal, using seven passwords stolen from top Nortel executives, hackers penetrated Nortel’s computers, repeatedly downloading technical papers, R&D reports, business plans, employee emails and other documents. From our standpoint, this is another high-profile example of the need to better manage and control privileged access. With relative ease, it appears the hackers were able to use the passwords to access the network, then, once inside, elevate privileges in order to access sensitive data and information. From an industry standpoint, Nortel’s ‘inaction’ is inexcusable.
• Expect Defenses to Fail: So what can we learn from all this? Information Week published a piece that took a first crack at some answers, “8 Lessons From Nortel’s 10-Year Security Breach.” Some quick take-a-ways? Expect defenses to fail, conduct a thorough forensic analysis and expect greater accountability.
• An Empowering Cybersecurity Bill?: In other news, called “critical” in order to avoid our country suffering a “catastrophic attack,” a bipartisan group of senators introduced long-awaited cybersecurity legislation. According to CSO, this is a comprehensive bill that would encourage the sharing of information about threats and attacks between government and industry. Specifically, the Cybersecurity Act of 2012 would give the Department of Homeland Security power to regulate the kind of company security protections government deems necessary to protect critical infrastructure — such as power and phone companies, water and treatment plants, wireless providers and other companies based on DHS risk assessments.
We’d like to hear your thoughts. What lessons do you think we can learn from Nortel? What are your hopes for outcomes from the Cybersecurity Act?