Filed Under:Risk Management, Loss Control

VeriSign Hack Ominous for Corporate, Government Risk

NU Online News Service, Feb. 3, 3:44 p.m. EST

As details of the hacking of VeriSign unfold, questions emerge and government entities and corporations of all sizes are becoming more aware of their own vulnerabilities, according to a technology expert.

That VeriSign, seen as the Fort Knox of security for .com, .net and .gov web addresses, doesn’t seem to be aware of the extent of the hacking is a major concern.

The VeriSign attacks were revealed in a quarterly U.S. Securities and Exchange Commission filing in October, following new guidelines on reporting security breaches to investors. According to Reuters, which reviewed more than 2,000 documents that mentioned breach risks since the SEC guidance was published, VeriSign’s disclosure stood out.

 “The main concern is that we all want to know that we’re dealing with—the websites that we think we’re dealing with,” explains Matthew Norris, global head of technology, media and telecommunications for Hiscox, located inLondon.

He tells NU Online News Service that “unfortunately, a hack like this could mean that people can pretend to be Amazon, say,” by erecting a spoof website.

Norris explains, “The most fascinating thing about this is that all the other certification authorities that got hacked, no one had really heard of. And [those companies] really didn’t have much money to spend on good security.”

On the other hand, he says, VeriSign was the most trusted party on the Internet, trusted by the U.S. government and huge organizations. “Their security is amazing,” he adds. “They are really well funded, their business is security, they’ve been around for ages and so if they’ve had a problem, it makes you think the old truth is true: It’s not so much what you do, it’s how determined the person is to cause your problem.”

Norris says there are two reasons the company might have been hacked: one is because the security of the company is so good that the hacker might have been driven to embarrass them. The other is that someone is trying to steal the information and misuse it.

“If that was true, and it’s unclear how far they got, then they must have really good resources, because normally the target is the path of least resistance—VeriSign is not the path of least resistance,” he observes. “This is not far off from Fort Knox, really.”

While the details are not yet clear, he says the second reason “seems very tempting, bearing in mind how many certification authorities have been targeted in the last year, to think that they were after the ability to issue their own certificates—to pretend to be Amazon.”

The most unnerving aspect, he says, is that the SEC’s disclosure system didn’t work. First of all, he says, it was disclosed too late, about a year after the hack. And secondly, the disclosure requirements do not give enough detail. “Even if it had been timely, everyone is scratching their head, there is just so little detail that has emerged.”

The broadest implication, Norris says, is “Even if you think your security is brilliant, it’s probably not as good as VeriSign, so the pressure to keep improving your security remains immense.”

He advises that organizations that need to send important content should encrypt the information. “Because even if you send encrypted data to someone who’s not the right person, they will struggle to make sense of the message.”

Featured Video

Most Recent Videos

Video Library ››

Top Story

Identity theft takes the sparkle off of the holiday shopping season says new study

Cyber risks affect shopping patterns according to Generali Global Assistance.

Top Story

5 things to know about the NAIC's new cybersecurity model law

The NAIC's newly-adopted Insurance Data Security Model Law provides guidance for carriers, agents, brokers and their business partners.

More Resources


eNewsletter Sign Up

PropertyCasualty360 Daily eNews

Get P&C insurance news to stay ahead of the competition in one concise format - FREE. Sign Up Now!

Mobile Phone

Advertisement. Closing in 15 seconds.