Pointing fingers is misleading (and stupid)
Everyone is all fired up that the APT is now targeting major media companies. Rich covered that in yesterday’s post, and now it seems the Wall Street Journal was also targeted by similar tactics
The Wall Street Journal said its computer systems had been infiltrated by Chinese hackers for the apparent purpose of monitoring the newspaper’s China coverage.
This is shocking why? Brazen, yes. Predictable, yes. Surprising? Not in the least. But that’s neither here nor there. What annoyed me about the NYT story was pointing the finger squarely and exclusively at Symantec. And their partner in slime, Mandiant, seemingly blaming the breach on the inability of their AV engine to catch the attacks. This is bush league and clear misdirection.
I am not saying, in any way, that Symantec’s failure wasn’t the main cause of this breach. But I don’t know they were either. We don’t know the answers to a few fairly important questions, including what version of Symantec AV was running at the time of compromise? If they were using SEP 10 this result isn’t surprising. That product stunk and SYMC acknowledges that. It’s like blaming Microsoft for a breach because Windows XP got compromised. That would have been fine in 2003, but now? Come on, man! If the enterprise isn’t taking advantage of modern protection, how can they expect to defend against modern attacks?
Before we can credibly place blame we need to know more. What operating system was in play? Was it fully patched? How was it configured? What other defenses were in place on the endpoints? The questions go on and on. We don’t know enough to point the finger. And if these devices weren’t taking advantage of the latest versions of pretty much everything, then the issue rests more on the NYT than on a security vendor. At least in my opinion.
But what fun is that, right? It’s much easier to play into the same old story about how AV sucks. But no endpoint product is going to stop a 0day targeting crappy software (yes, Oracle and Adobe, I’m looking at you). Not 100% of the time anyway. And all the attackers needed to do was compromise one device, and then they owned the environment.
OK, I’ll get off my soapbox now. Just to make sure we’re clear, I’m not saying Symantec is free of blame here. But I know there are a bunch of other folks who should have the finger of accountability pointing at them, starting with the NYT security team.