FRAMINGHAM, 17 MARCH 2011 - On Superbowl Sunday, HBGary CTO Greg Hoglund found himself locked out of his own e-mail account. As has since been widely reported in the media, the hacking group Anonymous leaked thousands of e-mail messages from the accounts of Hoglund and HBGary Federal's CEO Aaron Barr, chastising the company in a public statement. In this excerpt of an interview with CSO correspondent Robert Lemos, Hoglund admits that the company made many mistakes in defending its data, but refutes some of the details of the hack and highlights lessons that other companies should take to heart.
You've said that much of the information in the media about the hack is wrong. What happened?Hoglund: They didn't get anywhere close to our network. As far as I could tell, they were not even aware of its existence. They may have become aware of it by reading the e-mails later but that was well after the fact. They only got access to our e-mail spool, which was hosted at Google, and its cloud based e-mail service. And they got access via a stolen password, so they were able to log in. There was really no "hack" involved; it was a stolen credential. (Editor's note: They also had some access to the company's hosted Web site and Barr's Twitter account.)
You were on the phone with Google as Anonymous was stealing your data?Yes, I was trying to get Google to shut the site down. Google was trying to get me to put a file on my Web site (to authenticate my identity). You see the chicken-and-egg problem there. (HBGary had pulled its site down.)
Anyone with a cloud-based service needs to have an SLA (software license agreement) in the contract that says there is a priority, security hotline so that when there is a security event you have priority support, rather than what happened to me, which is that I got round-robinned to what appeared to be a call center in India. And I'm waiting on the phone and I can't do the technical magic tricks, jumping through the hoops that Google wanted me to jump through, to get them to listen to me. It took me forever to get technical staff on the phone on Sunday afternoon, so they could make the necessary changes so that Google would even start talking to me. And meanwhile, they are downloading my e-mail spool.
I would warn any CISO who is considering cloud in their future to make sure that never happens to them, and that is a contractual thing in the service level agreement.
Sign up for CIO Asia eNewsletters.