Stratfor, a global security think-tank, is hacked and now everyone knows about it. Based on the information available on the web related to this recent security incident, it may be safe to consider that the Information Security processes at the said company was not adequate to protect the information of its esteemed customers.
Some of the key observations I had on this incident are summarized below. These assumptions are made from the information publicly available on the web and not necessarily accurate:
Encryption: The attackers claim that the data in the database were not encrypted; even the credit card numbers. It is a shame for a company of such size and leadership in the security and intelligence, be it in the IT field or corporate and personal security, not to have this control implemented. By not having the card numbers encrypted, they fail to meet the PCI Compliance and thus endanger its customers with public exposure and potential identity theft resulting in potential credit rating issues.
Web Hosting: The webserver is hosted at a data centre not under the control of Stratfor. The security capabilities of the datacentre, the FAQ page, boasts about physical security which includes biometric hand-scan and proxy card. In addition, the data centre is staffed 24/7, 365 days a year. It also mentions about the video cameras and motion detectors for video surveillance. More importantly, the hosting provider has the managed firewall and managed IDS/IPS services with full reporting and logging capability. they provides internal monitoring and reporting of all significant network events, with ability to notify customers of common problem indicators. So the question here is, who failed in taking the right steps? Did Stratfor setup their own IPS and Firewall or they used the Managed services? Or is it that there were no stateful Firewall and/or IPS installed?
Security Testing: Web based communication is one among the key business avenues for Stratfor and they have the subscription based business using their web site. Whether the Internet Infrastructure of Stratfor has undergone periodic security reviews including penetration testing, vulnerability assessment etc. If yes, why these security vulnerabilities are not identified? If not, why not?
Defined responsibility: Is there anyone responsible for IT Security or Information Security at Stratfor? If not, that is something Stratfor need to do as the immediate step towards setting up the security
Password Management: Setup a password policy for internal users as well as for customers. Allow a bit of inconvenience over security and stop allowing common passwords used by your customers. Also disallow those common passwords published time to time. In addition, disallow the password stratfor as there were users, including the staff, using this word as their password
Secure application development: Develop secure web applications and perform security code reviews so that the application would achieve some kind security maturity
Baseline Security configurations: Build baseline security configurations for the technology components and keep enforcing the same.
Information Security program: Finally have an information security program setup for having better control over security of the customers and other related information. Typical security programs will have above features, in addition to the other
It would be possible for Stratfor to come out of this incident without much impact on the business. However, it would be difficult for them to get away from the embarrassment this incident has caused them.