Why We Should Thank, Not Demonize LulzSec, Anon

So the 50-day cruise is over and the guys at LulzSec are going back underground. That should worry some of us because if they did not want us to know what they were doing, I don’t think any sane person would argue that they could not have done so.

While the media has been abuzz about the exploits of Anonymous and LulzSec, the bigger question we should be asking is, are any of their exploits new or did they just give us a wake up call that there is no security, at least in the way we normally define it. What they have demonstrated is that security is a term we use to make ourselves feel good.

A quick look at their “victims” shows that most of the organizations they targeted have tons of money to throw at security, and some are known vendors of security “solutions”. Whether it is RSA, CitiGroup, Bank of America, the CIA, the U.S. Senate, Fox News, Barracuda, Northrup Gruman, Lockheed Martin, Comodo, Yahoo! and countless others too “insignificant” to get on the front page like Distribute IT, the recent attacks clearly show that any one can be had.

It could have been worse and these attacks could have gone on quietly, as I am sure they have been for quite  a while. I strongly believe that what the LulzSEC and Anonymous groups exposed were events that happened regularly but were covered up by the affected organizations.

The effect of such cover-ups were a false sense of security on the part of the general populace and the tendency by most organizations to believe that just installing a security appliance was enough. It also gave vendors of security products license to continue milking millions of dollars from the government, consumers and businesses until the holes in their products were exposed.

Rather than demonize these groups, organizations and businesses should be thankful that someone has provided a yardstick by which you can hold your security vendors accountable. There is now a talking point of “how can you guarantee that what happened to Citi won’t happen to us and if it happens, can you fix it without billing us additional millions”.

Indeed, as the group wrote:

“Our planned 50 day cruise has expired, and we must now sail into the distance, leaving behind – we hope – inspiration, fear, denial, happiness, approval, disapproval, mockery, embarrassment, thoughtfulness, jealousy, hate, even love. If anything, we hope we had a microscopic impact on someone, somewhere.”

Their activities in the past few weeks, if anything has put a little pressure on IT professionals saddled with the task of protecting a network to get off the World of Warcraft and actually do some continuous monitoring and vulnerability scanning; it gives security professionals food for thought when they go on a risk assessment assignment because they will actually be forced to do a thorough assessment instead of check-boxing their way through. Chief Financial Officers (CFOs) should be thankful because now they have a reason to demand that the money budgeted for security is actually being spent on security and not on some cool gadget that is completely useless in protecting the organization from security breaches.

Finally, while there are ethical gaps in the way these groups did their “ethical hacking”, I hope it gives us reason to think twice before we put confidential information in insecure locations. But from the mostly negative and arguably silly comments you read on websites that report on the activities of these groups, a lot of people still do not seem to get it. There is a lot of focus on the “what” instead of the “why” and “how”. If the systems that were compromised were secure in the first place, could they have gained access? What does a hack teach the organization that was hacked? If these guys could get into our corporate systems and tell us, who else got in and did not tell us?