VeriSign Hack Ominous for Corporate, Government Risk

NU Online News Service, Feb. 3, 3:44 p.m. EST

As details of the hacking of VeriSign unfold, questions emerge and government entities and corporations of all sizes are becoming more aware of their own vulnerabilities, according to a technology expert.

That VeriSign, seen as the Fort Knox of security for .com, .net and .gov web addresses, doesn’t seem to be aware of the extent of the hacking is a major concern.

The VeriSign attacks were revealed in a quarterly U.S. Securities and Exchange Commission filing in October, following new guidelines on reporting security breaches to investors. According to Reuters, which reviewed more than 2,000 documents that mentioned breach risks since the SEC guidance was published, VeriSign’s disclosure stood out.

 “The main concern is that we all want to know that we’re dealing with—the websites that we think we’re dealing with,” explains Matthew Norris, global head of technology, media and telecommunications for Hiscox, located inLondon.

He tells NU Online News Service that “unfortunately, a hack like this could mean that people can pretend to be Amazon, say,” by erecting a spoof website.

Norris explains, “The most fascinating thing about this is that all the other certification authorities that got hacked, no one had really heard of. And [those companies] really didn’t have much money to spend on good security.”

On the other hand, he says, VeriSign was the most trusted party on the Internet, trusted by the U.S. government and huge organizations. “Their security is amazing,” he adds. “They are really well funded, their business is security, they’ve been around for ages and so if they’ve had a problem, it makes you think the old truth is true: It’s not so much what you do, it’s how determined the person is to cause your problem.”

Norris says there are two reasons the company might have been hacked: one is because the security of the company is so good that the hacker might have been driven to embarrass them. The other is that someone is trying to steal the information and misuse it.

“If that was true, and it’s unclear how far they got, then they must have really good resources, because normally the target is the path of least resistance—VeriSign is not the path of least resistance,” he observes. “This is not far off from Fort Knox, really.”

While the details are not yet clear, he says the second reason “seems very tempting, bearing in mind how many certification authorities have been targeted in the last year, to think that they were after the ability to issue their own certificates—to pretend to be Amazon.”

The most unnerving aspect, he says, is that the SEC’s disclosure system didn’t work. First of all, he says, it was disclosed too late, about a year after the hack. And secondly, the disclosure requirements do not give enough detail. “Even if it had been timely, everyone is scratching their head, there is just so little detail that has emerged.”

The broadest implication, Norris says, is “Even if you think your security is brilliant, it’s probably not as good as VeriSign, so the pressure to keep improving your security remains immense.”

He advises that organizations that need to send important content should encrypt the information. “Because even if you send encrypted data to someone who’s not the right person, they will struggle to make sense of the message.”


Resource Center

View All »

Increase Sales Conversion with this Complimentary White Paper

This whitepaper will share proven techniques - used by many of the industry's top producers...

D&O Policy Definitions: Don't Overlook These Critical Terms

Unlike other forms of insurance where standard policy language prevails, with D&O policies, even seemingly...

Environmental Risk: Lessons Learned from Willy Wonka and the Chocolate...

Whether it’s a chocolate factory or an industrial wastewater treatment facility, cleanup and impacts to...

More Data, Earlier: The Value of Incorporating Data and Analytics...

Incorporating more data earlier in claims lifecycles can help you reduce severity payments by 25%*...

How Many Of Your Clients Are At Risk Of Flood?

Every home is vulnerable to flooding. Learn four compelling reasons why discussing flood insurance with...

Gauging your Business Intelligence Analytics Capabilities and the Impact of...

Big Data, Data Lakes and Data Swamps, How to gauge your company's Big Data readiness....

Extending Contact Center Capabilities Across the Insurance Enterprise

Today advancements in technology are making a big impact on business and society. To yield...

Drug and Alcohol Testing Requirements

In this two-part series, NBIS Risk Management team will break down the requirements to assist...

Why Cyber Liability is Essential for Human Service Organizations

For traditional low-tech operations, information is often compromised in ways that don't involve technology. Access...

A Solution for Large Commercial Habitational Accounts

6 Reasons to place your LARGE Habitational Accounts with Dauntless.

Risk Management Report eNewsletter

Identify problems involving emerging risks, reinsurance, and business interruption with help from Risk Management Report - FREE. Sign Up Now!

Advertisement. Closing in 15 seconds.