Op-Ed written by Aviram Jenik, CEO Beyond Security
Recently, Facebook suffered their largest breach ever; it is a big deal when one of the largest technology companies in the world can be the target of such a breach — more so when it’s a company that has access to our very personal and confidential data. It is simply not acceptable and regardless of what your views might be on security prevention, attacks like these, though inevitable can be avoidable.
The attack involved a few different security holes that were exploited in tandem; in very simple terms, Facebook had a feature where you can view your own profile as someone else so that you can clearly know what that user can see when visiting your Facebook page. To do that, Facebook allowed you to temporarily impersonate that user, or “step into his shoes” so to speak. The problem was, a code flaw allowed you to not just step into, but also walk a mile in his shoes — or impersonate the user long enough to get into their account. Repeating this attack to the person’s friends, and friends-of-friends, attackers received access to at least tens of millions of Facebook accounts. Ouch!
When a breach like this happens, especially to a company with a reportedly 20,000 people dedicated to IT security, mere mortals like us take notice. Unfortunately, instead of properly learning lessons from the incident, much too often, people use it to re-enforce whatever preconceived notion they already have about security. Much like political activists on both sides who read the same news but interpret it according to their ideology, security people much too often just dig their heels deeper rather than give up on their stale axioms.
On the one hand, we have the doomsayers. These are the people who will always complain about the hundreds of things their company isn’t doing to enhance IT security. For them, implementing security measure X is not good, because attackers can still attack using attack vectors Y and Z.
In their eyes, Facebook deserved being hacked, for having a staff of a measly 20,000. Facebook probably wasn’t doing proper code reviews, they would say, and who the heck sends session tokens in clear text? They are the ones who said “I told you so” — who always knew Facebook was unsafe and in a similar manner, keep pointing out the dozens, maybe hundreds of security flaws in their organization; whenever someone comes up with a solution, they are the ones that shoot the idea down since it does not solve all the problems. Nothing less than perfection is good enough, but let’s not define perfection — after all, we want to make sure we have something to complain about later.
Just as bad are the extremes on the other side — the ones who will point out to the Facebook breach to say, what’s the point? After all, if a company that spends billions on security still gets hacked, why should we even bother? Either way, chances are, we are at risk of getting hacked, so might as well not bother trying.
These are the same people, who when you show them a possible security solutions available to them , will just sigh and say “well, if someone really wants to get in, they will”. They will point to one of the quasi-truisms about security never being foolproof, but ignore the actual reality that only two things in life are guaranteed, and according to singularity theory we may soon be left with nothing guaranteed except more taxes.
Both extremes are dead wrong. What we should learn from the Facebook hack is not that doomsday is inevitable nor that security investment is futile. The lesson here is that despite incredibly strong and clever attackers, constantly probing organizations for weak points, most organizations today will finish their
What you need to do is prioritize. Find out what will make the most impact in terms of security and do it. It may be applying security patches, implementing a better security policy, installing a defensive tool or testing your network for weak points. In any case, do what you can under the circumstances and remember that any impact is better than no impact.
If you can do one thing this month that will make your organization even slightly more secure than last month, then as a security professional you should pat yourself on the back: you did your job well. Now feel free to log back into Facebook, you’ve earned it.