Security failings that resulted in the hacking of HBGary Federal’s website in February 2011 were an "appalling mistake" and the company should hang its head in shame, Dr. Prescott Winter, CTO for Public Sector at ArcSight (an HP company), told CBR.
Earlier this year Anonymous targeted security firm HBGary Federal, who had been working with the FBI to reveal the identity of members of the hacktivist group. The homepage was defaced and 60,000 emails from the company were taken and posted online.
The Twitter account of CEO Aaron Barr was also compromised and used to tweet a number of offensive messages, as well as his home address, social security number and mobile phone number.
According to KrebsOnSecurity and Sophos, the group managed to infiltrate a ‘non-important’ part of HBGary Federal’s website and then exploited a shared password system to access more sensitive information.
Dr. Winter, who joined ArcSight a few months before its $1.5bn takeover by HP, told CBR that he thinks, "HBGary should be hanging their heads in shame because of some absolutely appalling mistakes in basic security technology evaluation, such as a content management server that had never really been checked for vulnerabilities, some incredibly boneheaded uses of passwords and some very questionable usage of hash and PKI technology to protect passwords and other authentication processes."
Worryingly Dr. Winter also warned that most companies are at risk of an attack. "My view of this is pretty simple," he told CBR. "If you have any information in your enterprise which is of strategic interest to you and therefore to your competitors in a commercial environment or your adversaries in a government sense you have to expect an attack on that information."
"We have folks out there in the larger world who have discovered that it is very easy to break-in and take what they want out through the back door. So any organisation that has strategic information needs to be prepared to protect it and the assets it is in," he added.
Speaking about the spate of recent cyber attacks on major businesses, Dr. Winter said he was not surprised at how bad security seems to be at some companies. "The more you talk to people the more you realise how unsurprising it is. There is a lot of work to do to begin to button these systems up a little bit tighter," he said.
"There are a lot of different parts to it," he added. "You have to understand what your major goals are in the enterprise. You have to understand where the information and information assets are that help you achieve those goals and put those in some kind of prioritised risk-based framework. Then you need sensors in place to see what’s going on."
ArcSight was acquired by computing giant HP in September 2010 for around $1.5bn.