Estimates for the total cost of the attacks range from $170 million into the billions.
* Systems may run just fine, vulnerable, for long periods of time.
* The cost of an attack may be far in excess of the business value of the data itself. This overturns the conventional risk management guideline to not invest more to secure an asset than the asset itself is "worth."
SECURITY MINEFIELD: 'Bring your own device' will bedevil IT security in 2012
There was an old saying that English has no direct counterpart to the German word Schadenfreude, meaning "enjoyment which comes from the misfortune of others." So perhaps it was inevitable that we would need such a word handy in describing the events of 2011.
Fortunately, the same odd corners of the Internet that seemingly inspire this class of attacker have given us just such a word: lulz.
In mid-2011 a new hacking group named LulzSec appears on the scene, seeming to spring fully formed from the head(s) of Anonymous. Except that their activity is qualitatively different.
Eschewing the blunt instrument DDoS tool of its progenitor (the Low-Orbit Ion Cannon), this group's preferred modus operandi was to penetrate systems and leak the largest amount of the most damaging information possible.
To be sure Anonymous used this tactic, too, but LulzSec seemed to represent a refinement of it. They also skip the meta-political goals of Anonymous and instead project an image of a group seeking to shock us out of complacency and enjoying every minute of it.
What we learned:
* Attackers may not have the motivations that your security controls were designed to defend against (e.g. financial gain). They may be "in it for the lulz," or something else entirely.
RSA is well known for two things: the amazingly useful public key encryption algorithm (which gave the company its name), and the RSA SecurID brand of hardware tokens for user authentication (which do not actually use the RSA algorithm). Today RSA is a subsidiary of EMC Corporation.
In March, the company disclosed that it had been the target of a successful cyberattack in which the attackers obtained some type of information which allowed them to reduce the protection provided by the tokens. Within a few weeks it was reported that this information had been used in intrusion attempts at U.S. defense contractors, but there is little to suggest that the abuse is more widespread.
Many customers were disappointed in RSA's reticence to share information about the attack, which would enable customers to make informed estimates of their own risk. Some were surprised that RSA would retain SecurID "key seed" data at all. (Ironically, the RSA algorithm is often used specifically to avoid sharing such secret keys unnecessarily.)
Sign up for CIO Asia eNewsletters.