As you probably know by now, there is at least one company that couldn't celebrate a very happy holiday season, courtesy of Anonymous. The hacker group claims it broke into security company Stratfor and stole thousands of credit card numbers, email addresses and passwords.
The story unfolding from this attack has had a very different feel than other Anonymous exploits. As of today, the Stratfor website is still down. The company has been communicating via social media. I read in several places that Stratfor warned that Anonymous would launch an attack on others who supported the company. And supposedly, the credit card information was used for donations to charitable organizations - "Robin Hood hacker" was one description I came across.
I heard news of the hack while I was watching "A Christmas Story" for the umpteenth time. My husband told me after seeing an article online, and he waited for a reaction from me. I had none. The Anonymous attack stories are getting old, and I have to wonder at what point organizations will do a better job of cybersecurity. But then, word is that Stratfor didn't even bother to encrypt the stolen information. If a security company allegedly doesn't use encryption on sensitive information, why should we think companies in other industries would?
The Stratfor hack appears to be indicative of the way businesses think about cybersecurity. As William Jackson wrote at Government Computer News:
Countless small organizations that consider themselves too unimportant to warrant a hacker's attentions rely on security through obscurity. This is a dangerous gamble. Other organizations that should know better, such as Stratfor as well as the U.S. Senate and the CIA before it, for some reason have not done the basic job of clearing up the obvious weaknesses that can allow easy entrance.
What will convince companies of all sizes to fix their vulnerabilities and better protect their network? I don't have an answer for that, but maybe the launch this month of the National Critical Infrastructure Cybersecurity Education Initiative will be a start. According to a press release:
Beginning with the healthcare and public health critical infrastructure, sector-specific cybersecurity education frameworks and supporting education programs (K-12/current workforce) will be defined, developed and implemented via a series of nationwide regional workshops leveraging the NICE Cybersecurity Workforce Framework as the foundational baseline.
It all comes back to education, doesn't it? The more we know about protecting our infrastructure, the more power we have to actually take action.