When is a Hack a Breach?
As the hubbub over Apple, Twitter, and Facebook being hacked with the Java flaw slowly ebbs, word hit late last week that Microsoft was also hit in the attack. Considering the nature of the watering hole attack, odds are that many many other companies have been affected.
This begs the question: does it matter? The headlines screamed “Apple and Facebook Hacked”, and technically that’s true. But as I wrote in the Data Breach Triangle, it isn’t really a breach unless the attacker gets in, steals or damages something, and gets out. Lockheed uses the same principle with its much-sexier-named Kill Chain.
Indications are that Apple and Microsoft, and possibly Facebook, all escaped unscathed. Some developers’ computers were exploited, the bad guys got in, they were detected, and nothing bad happened. I do not know if that was the full scope of the exploits, but it isn’t unrealistic, and successful hacks that aren’t full-on breaches happen all the time.
I care about outcomes. And someone bypassing some controls but being stopped is what defense in depth is all about. But you rarely see that in the headlines, or even in many of our discussions in the security world.
It is the exact reason I didn’t really write about the hacks here before – from what I could tell some of the vendors disclosed only because they knew it probably would have come out once the first disclosure happened, because their use of the site was public.