Whenever I read another article about how Company X or University Y or Governmental Organization Z was "recently" hacked -- usually "by the Chinese" -- I can't help but chuckle. Those headlines -- the most recent about the U.S. Chamber of Commerce -- shouldn't read, "Company X was hacked!" They should read, "Company X has been hacked for years but just now noticed!"
Headlines that, to me, would truly be newsworthy include:
- "Company fully patches Java and Adobe products"
- "Organization trains end-users to recognize basic social engineering attacks"
- "IT department reviews all its event logs"
- "Company runs SQL database app without SQL injection exploits"
- "Prominent corporate website not subject to XSS exploits"
- "Company knows where all of its data is"
[ Also on InfoWorld.com: "Chinese hack on U.S. Chamber of Commerce went undetected for 6 months" | Put a stop to corporate data leaks with Roger Grimes's "Data Loss Prevention Deep Dive" PDF expert guide, only from InfoWorld. ]
Stories about successful attacks are old news because everyone's already been hacked. You won't find a decent computer security expert who'll tell you otherwise. I'm dumbfounded by the fact that, despite the severity of the problem, we still aren't doing anything differently to protect ourselves.
How do these "uber" hackers pull off the types of attacks that make headlines? By exploiting unpatched software, taking advantage of poor passwords, targeting an application vulnerability, or duping one or more users into running something they shouldn't. It's a short and simple list, but apparently no one is taking the simple steps needed to protect themselves.
On a broader level, how bad does it have to be before we, as a society, demand that our leaders get together to fix the Internet already -- before a catastrophe occurs?
In this topsy-turvy world of default insecurity, headlines about successful attacks are old news. It's time to see news about how we're fixing the problem.
This story, "Security headlines you'll never read," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes's Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.