Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

HBGary's Hoglund identifies lessons in Anonymous hack

On Superbowl Sunday, HBGary CTO Greg Hoglund found himself locked out of his own e-mail account. As has since been widely reported in the media, the hacking group Anonymous leaked thousands of e-mail messages from the accounts of Hoglund and HBGary Federal's CEO Aaron Barr, chastising the company in a public statement. In this excerpt of an interview with CSO correspondent Robert Lemos, Hoglund admits that the company made many mistakes in defending its data, but refutes some of the details of the hack and highlights lessons that other companies should take to heart.

Also see: Teenage rampage: What Anonymous can teach us about the youth

You've said that much of the information in the media about the hack is wrong. What happened?Hoglund: They didn't get anywhere close to our network. As far as I could tell, they were not even aware of its existence. They may have become aware of it by reading the e-mails later but that was well after the fact. They only got access to our e-mail spool, which was hosted at Google, and its cloud based e-mail service. And they got access via a stolen password, so they were able to log in. There was really no "hack" involved; it was a stolen credential. (Editor's note: They also had some access to the company's hosted Web site and Barr's Twitter account.)

You were on the phone with Google as Anonymous was stealing your data?Yes, I was trying to get Google to shut the site down. Google was trying to get me to put a file on my Web site (to authenticate my identity). You see the chicken-and-egg problem there. (HBGary had pulled its site down.)

Anyone with a cloud-based service needs to have an SLA (software license agreement) in the contract that says there is a priority, security hotline so that when there is a security event you have priority support, rather than what happened to me, which is that I got round-robinned to what appeared to be a call center in India. And I'm waiting on the phone and I can't do the technical magic tricks, jumping through the hoops that Google wanted me to jump through, to get them to listen to me. It took me forever to get technical staff on the phone on Sunday afternoon, so they could make the necessary changes so that Google would even start talking to me. And meanwhile, they are downloading my e-mail spool.

I would warn any CISO who is considering cloud in their future to make sure that never happens to them, and that is a contractual thing in the service level agreement.

What other suggestions do you have for companies?Set an e-mail retention policy and don't store your entire e-mail archive in the cloud. You can store it locally somewhere in the corporate environment, so you can still access it for doing your daily work, looking up data as well as for e-discovery purposes, but it shouldn't be stored in an accessible location out in the cloud.

Second, enable two-factor authentication. Anything that requires a log-in should be enabled for two-factor authentication. If I had enabled two-factor authentication for Google apps that I had HBGary subscribed to, then these hackers from Anonymous would not have been able to log in.

It was a newly available option, but we hadn't enabled it. The cost of two-factor authentication is significantly lower today than it has been in the past. It doesn't cost much, so anybody using the cloud should enable two factor, it it's an option. If they have any services on the road, such as sales people or technical people, they should have two-factor authentication.

Another thing they should do is configure IP restriction on any administration of the site. So, you should only have one administrator account and it should be IP restricted to a single location. And then if you have a compromise, you don't have to worry about someone getting access to the administrative parts of the cloud services.

Read more about cloud security in CSOonline's Cloud Security section.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: etwork, Google, ISO
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: applications, cloud security, data protection, Data Protection | Cloud Security, Google, Google security, HBGary, security, software, wikileaks
Latest Blog Posts
Whitepapers
  • Bend or break: Flexible Policy
    DON’T. PANIC. Aligning business and IT needs has always been a challenge. Finding the right balance between ensuring the safety of sensitive data and enabling the free flow of information is increasingly difficult in today’s evolving regulatory and threat environment. Read on.
    Learn more »
  • Oracle Exadata Database Machine Warehouse Architectural Comparisons
    Exadata is Oracle’s fastest growing new product. Much of the growth of Exadata has come at the expense of specialized data warehouse appliance vendors. These vendors have published competitive comparisons to Exadata, claiming: Architecture is what really matters for performance, Purpose-built data warehousing architectures perform best, They see architecture as an end in itself rather than as a means to an end. Read on.
    Learn more »
  • 5 Best Practices for Achieving Peak Performance in SAP Environments
    Given how deeply businesses rely on their SAP systems, it’s simple to see that maximizing performance and uptime is critical. What’s not so simple is figuring out how to understand, let alone optimize, performance in these complex, dynamic, and interrelated ecosystems. This paper offers five best practices that can help administrators more effectively measure and improve SAP performance.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments