VeriSign Hack Ominous for Corporate, Government Risk

NU Online News Service, Feb. 3, 3:44 p.m. EST

As details of the hacking of VeriSign unfold, questions emerge and government entities and corporations of all sizes are becoming more aware of their own vulnerabilities, according to a technology expert.

That VeriSign, seen as the Fort Knox of security for .com, .net and .gov web addresses, doesn’t seem to be aware of the extent of the hacking is a major concern.

The VeriSign attacks were revealed in a quarterly U.S. Securities and Exchange Commission filing in October, following new guidelines on reporting security breaches to investors. According to Reuters, which reviewed more than 2,000 documents that mentioned breach risks since the SEC guidance was published, VeriSign’s disclosure stood out.

 “The main concern is that we all want to know that we’re dealing with—the websites that we think we’re dealing with,” explains Matthew Norris, global head of technology, media and telecommunications for Hiscox, located inLondon.

He tells NU Online News Service that “unfortunately, a hack like this could mean that people can pretend to be Amazon, say,” by erecting a spoof website.

Norris explains, “The most fascinating thing about this is that all the other certification authorities that got hacked, no one had really heard of. And [those companies] really didn’t have much money to spend on good security.”

On the other hand, he says, VeriSign was the most trusted party on the Internet, trusted by the U.S. government and huge organizations. “Their security is amazing,” he adds. “They are really well funded, their business is security, they’ve been around for ages and so if they’ve had a problem, it makes you think the old truth is true: It’s not so much what you do, it’s how determined the person is to cause your problem.”

Norris says there are two reasons the company might have been hacked: one is because the security of the company is so good that the hacker might have been driven to embarrass them. The other is that someone is trying to steal the information and misuse it.

“If that was true, and it’s unclear how far they got, then they must have really good resources, because normally the target is the path of least resistance—VeriSign is not the path of least resistance,” he observes. “This is not far off from Fort Knox, really.”

While the details are not yet clear, he says the second reason “seems very tempting, bearing in mind how many certification authorities have been targeted in the last year, to think that they were after the ability to issue their own certificates—to pretend to be Amazon.”

The most unnerving aspect, he says, is that the SEC’s disclosure system didn’t work. First of all, he says, it was disclosed too late, about a year after the hack. And secondly, the disclosure requirements do not give enough detail. “Even if it had been timely, everyone is scratching their head, there is just so little detail that has emerged.”

The broadest implication, Norris says, is “Even if you think your security is brilliant, it’s probably not as good as VeriSign, so the pressure to keep improving your security remains immense.”

He advises that organizations that need to send important content should encrypt the information. “Because even if you send encrypted data to someone who’s not the right person, they will struggle to make sense of the message.”


Resource Center

View All »

Contractors General Liability Coverage 102

What is a prior work exclusion? Which option is right for my client? Why do...

Sign up today to get a 50% matching credit -...

Insurance marketing sometimes seems like it's a game of swings and misses, but we're here...

Guide: 5 Steps to Selling Cyber

Cyber risk and data security is on the agenda of every business owner and executive....

Citation Correlation

Do rigger and signalperson qualifications correlate with the cause of crane and rigging accidents? ...

Complete Guide to Electronic Signatures in Property & Casualty Insurance...

In property and casualty insurance, closing new business quickly is key. Learn how to leverage...

INSTANT ACCESS: Complimentary Sales Closer Questionnaires

Help property owners or managers compare your commercial residential property insurance coverage vs. the competition....

Determining Vacant Property Perils and Valuations

Are your clients fully covered for Vacant Properties? In this economic climate, your insureds may...

Risk Management for Law Firms

This package of 3 concise risk management articles offers straightforward content and practical suggestions law...

Guide: Top 15 E&O Risks-And How To Avoid Them

Accidents happen. But when it's an errors and omissions oversight, that accident can open your...

We'll Show You How to Reach Your Sales Goals

Whether you work alone or have a team of agents working for you, we can...

Risk Management Report eNewsletter

Identify problems involving emerging risks, reinsurance, and business interruption with help from Risk Management Report - FREE. Sign Up Now!

Advertisement. Closing in 15 seconds.