This week’s IT security news coverage was shaped largely by the fall-out associated with Nortel’s 10 year data breach, which has now been attributed by some as one of the primary factors impacting the company’s ultimate downfall,  some speculating that competitors were able to gain access to sensitive IP over the course of a decade.  Here are several stories we think offer the best perspectives on the breach.

• History of a Decade-Long Hack: According to the Wall St. Journal, using seven passwords stolen from top Nortel executives, hackers penetrated Nortel’s computers, repeatedly downloading technical papers, R&D reports, business plans, employee emails and other documents.  From our standpoint, this is another high-profile example of the need to better manage and control privileged access.  With relative ease, it appears the hackers were able to use the passwords to access the network, then, once inside, elevate privileges in order to access sensitive data and information.  From an industry standpoint, Nortel’s ‘inaction’ is inexcusable.
• Expect Defenses to Fail: So what can we learn from all this? Information Week published a piece that took a first crack at some answers, “8 Lessons From Nortel’s 10-Year Security Breach.”  Some quick take-a-ways?  Expect defenses to fail, conduct a thorough forensic analysis and expect greater accountability.
• An Empowering Cybersecurity Bill?: In other news, called “critical” in order to avoid our country suffering a “catastrophic attack,” a bipartisan group of senators introduced long-awaited cybersecurity legislation. According to CSO, this is a comprehensive bill that would encourage the sharing of information about threats and attacks between government and industry.  Specifically, the Cybersecurity Act of 2012 would give the Department of Homeland Security power to regulate the kind of company security protections government deems necessary to protect critical infrastructure — such as power and phone companies, water and treatment plants, wireless providers and other companies based on DHS risk assessments.

We’d like to hear your thoughts.  What lessons do you think we can learn from Nortel?  What are your hopes for outcomes from the Cybersecurity Act?

At Cyber-Ark we don’t typically like to brag about our achievements, but we have had such a great week that we can’t help but show off a bit. This year we have been shortlisted for not one, not two, not even three but FOUR SC Magazine Europe Awards! We are very excited and wanted to send our congratulations to all of the finalists that were also shortlisted in the Best IAM Solution, Best Remote Access, Best Security Management and Information Security Product of the Year Categories. While we’ve been celebrating we’ve also been paying close attention to some evolving stories in cyber legislation as well as an interesting twist on a phone hacking and wanted to put stories out there to get our readers’ opinions:

• Bloomberg Businessweek reported that the Cyber-Security bill has been delayed in reaching a vote on the Senate floor.  The Senate bill would authorize the Homeland Security Department to identify infrastructure that’s “considered critical to U.S. economic and national security” and develop standards that must be met to protect them. Understanding the security threat that cyber war poses on our nation and the number of sophisticated hackers out there, advisors are doing their best educate the Senate on the urgency behind this bill. Bruce McConnell, a counselor to Napolitano on cyber security matters stated, “What we were here today to do was make sure the Senate understands the severity and importance of the threats that we’re facing and the need for action.”

• Trying to hide your organization’s data breach? VeriSign proved this week that you can actually get away with it. After scouring 2,000 SEC filings Reuters reported this week that VeriSign was actually hit by hackers back in 2010 but did not report the breach until their SEC filing in October of 2011. How is this possible when the company states that “more than half (56%) of the world’s DNS hosts rely on the VeriSign .net and .com infrastructure”? Well, as long as credit card data isn’t involved organizations actually aren’t forced by the government to reveal a breach to the public.

• Finally, FOX News and other outlets reported that a phone call between the FBI and Scotland Yard was recorded and released online by the hackers in Anonymous. Luckily, the FBI said that there was no classified information on the call, but it was still accessed illegally. Anonymous tweeted that they were able to hack the phone call by compromising an investigator’s emails. If the call is authentic, it is quite jarring that the group was able to hack into the very call that discussed proceedings for past offenses.

We’d love to get your thoughts on these legislative issues as well as the phone hacking – do you think the Senate is taking the threat of cyber war seriously? Should VeriSign have been forced by law to reveal that they were breached? Is Anonymous a bigger threat than we anticipated?

Let us know in the comments!