When Security SLAs just don't Hack it: HBGary lives by the sword and, well ....
I've got a sufficiently twisted sense of humor that I believe that, under the right circumstances, identity theft can be funny. I suspect you do, too. Who wasn't amused when Todd Davis, the CEO of LifeLock, had his identity stolen? He advertised far and wide that his social security number is 457-55-5462, to show how securely his service would protect him. His identity has now been stolen at least 11 times, and his social security number is more widely known than the latest count of Charlie Sheen's lovers.
Perhaps unfairly, these events remind me of conservative, pro-family politicians who are caught in compromising situations with other women, men, animals, or inanimate objects. I actually don't much care about the acts involved, but I'm staggered at the stupidity of publicly railing against something you're doing in private. (And of course it's not just the conservatives, though they often seem the most hypocritical. Who can forget Gary Hart daring the press to catch him cheating on his wife, and then going straight out to frolic on a boat with a girlfriend?)
People who work in security should know better, act cautiously, and qualify their statements and promises. No system is ever perfect, and if you dare people to break your security, they probably will. That's why, whatever your politics, you should think twice before getting into a public war with a group like Anonymous, the unnamed guerilla hackers who support Julian Assange and Wikileaks. These guys know how to get revenge.
Revenge can be funny. Not quite as funny as LifeLock, but still pretty amusing, is the recent adventures of HBGary Federal, a security firm that threatened to expose the membership of Anonymous last month. Faster than you can say "pride goeth before a fall," HBGary -- a security consultancy, don't forget -- found that its web site had been defaced, its corporate email had been compromised, and a torrent of embarassing disclosures had been made. (Yes, literally: Anonymous released them in the form of a torrent.)
I suspect the event was far more than embarassing for HBGary; one of the revelations was that Bank of America was considering paying them to conduct a dirty tricks campaign against WikiLeaks. They've probably lost BoA as a customer, I would wager, plus a lot of other prospective or current clients who aren't likely to pay big bucks for security consulting from a company with its pants tangled around its ankles, security-wise.
There are plenty of lessons here, but most of them are old ones. You shouldn't dare hackers to steal your secrets if they're really embarassing -- but that's a lot like not casting the first stone unless you're without sin.
You shouldn't pick a fight with someone bigger and stronger than you, either -- and Anonymous was certainly bigger and apparently stronger (read: smarter) than HBGary.
But most of all, you shouldn't promise more than you can deliver. As a cloud company that manages business email archives, Mimecast has to be very secure, and I'm confident that we're more secure than at least 99% of our potential customers who manage their own email. But perfect? Not on this planet. So if members of Anonymous, or any other hacker group, are reading this, my message is simple: I respect your rare, world-class skills, and I suspect you could break into our system with enough effort. But we both know there are so many things you could do with those skills that you're not going to use them against us without a very good reason. And we're not crazy or arrogant enough to give you such a reason if we can avoid it.
One part of security is not being the best or funniest target. Our goal is to be extremely secure, and one small part of that is to be as boring as possible. Move along, hackers, there's nothing interesting to see here.