VeriSign Hack Ominous for Corporate, Government Risk

NU Online News Service, Feb. 3, 3:44 p.m. EST

As details of the hacking of VeriSign unfold, questions emerge and government entities and corporations of all sizes are becoming more aware of their own vulnerabilities, according to a technology expert.

That VeriSign, seen as the Fort Knox of security for .com, .net and .gov web addresses, doesn’t seem to be aware of the extent of the hacking is a major concern.

The VeriSign attacks were revealed in a quarterly U.S. Securities and Exchange Commission filing in October, following new guidelines on reporting security breaches to investors. According to Reuters, which reviewed more than 2,000 documents that mentioned breach risks since the SEC guidance was published, VeriSign’s disclosure stood out.

 “The main concern is that we all want to know that we’re dealing with—the websites that we think we’re dealing with,” explains Matthew Norris, global head of technology, media and telecommunications for Hiscox, located inLondon.

He tells NU Online News Service that “unfortunately, a hack like this could mean that people can pretend to be Amazon, say,” by erecting a spoof website.

Norris explains, “The most fascinating thing about this is that all the other certification authorities that got hacked, no one had really heard of. And [those companies] really didn’t have much money to spend on good security.”

On the other hand, he says, VeriSign was the most trusted party on the Internet, trusted by the U.S. government and huge organizations. “Their security is amazing,” he adds. “They are really well funded, their business is security, they’ve been around for ages and so if they’ve had a problem, it makes you think the old truth is true: It’s not so much what you do, it’s how determined the person is to cause your problem.”

Norris says there are two reasons the company might have been hacked: one is because the security of the company is so good that the hacker might have been driven to embarrass them. The other is that someone is trying to steal the information and misuse it.

“If that was true, and it’s unclear how far they got, then they must have really good resources, because normally the target is the path of least resistance—VeriSign is not the path of least resistance,” he observes. “This is not far off from Fort Knox, really.”

While the details are not yet clear, he says the second reason “seems very tempting, bearing in mind how many certification authorities have been targeted in the last year, to think that they were after the ability to issue their own certificates—to pretend to be Amazon.”

The most unnerving aspect, he says, is that the SEC’s disclosure system didn’t work. First of all, he says, it was disclosed too late, about a year after the hack. And secondly, the disclosure requirements do not give enough detail. “Even if it had been timely, everyone is scratching their head, there is just so little detail that has emerged.”

The broadest implication, Norris says, is “Even if you think your security is brilliant, it’s probably not as good as VeriSign, so the pressure to keep improving your security remains immense.”

He advises that organizations that need to send important content should encrypt the information. “Because even if you send encrypted data to someone who’s not the right person, they will struggle to make sense of the message.”

Comments

Resource Center

View All »

Complimentary Case Study: Helping achieve your financial goals By:...

Find out how a Special Investigation Union used TLOxp to save the company money and...

Do Your Clients Hold The Right CDL License?

Learn about the various classes of CDL Licenses and the industries that are impacted by...

Integrated Content & Communications: A Key Business Issue For Insurers

Insurers are renewing their focus on top line growth, and many are learning that growth...

High Risk Insurance Coverage in the E&S Market

Experts discuss market conditions, trends and projected growth in a rapidly changing niche.

Top E-Signature Security Requirements

This white paper covers the most important security features to look for when evaluating e-signatures...

EPLI Programs Crafted Just For Your Clients

Bring us your restaurant clients, associations and other groups and we’ll help you win more...

Is It Time To Step Up And Own An Agency?

Download this eBook for insight on how to determine if owning an agency is right...

Claims - The Good The Bad And The Ugly

Fraudulent claims cost the industry and the public thousands of dollars in losses. This article...

Leveraging BI for Improved Claims Performance and Results

If claims organizations do not avail themselves of the latest business intelligence (BI) tools, they...

Top 10 Legal Requirements for E-Signatures in Insurance

Want to make sure you’ve covered all your bases when adopting e-signatures? Learn how to...

Risk Management Report eNewsletter

Identify problems involving emerging risks, reinsurance, and business interruption with help from Risk Management Report - FREE. Sign Up Now!

Advertisement. Closing in 15 seconds.