Analysts expect both CIOs and security vendors to be far more conservative about who they choose to partner with, after an employee at an Australian IT security firm was charged with hacking offences last week.
Matthew Flannery, a 24-year old employee of Content Security, was employed as a support technician for clients of globally respected Tenable Network Security and provided services to a number of large Australian customers.
The arrest has implications first and foremost for Content Security and Tenable Network Security customers, but also for security vendors that contract support services, and for InfoSec professionals more broadly.
Customers
Security analyst James Turner said the news should be concerning for any clients of Content Security or Tenable.
“They are going to wonder how much of their security secrets are now out there in the wild, and whether their security provider is going to be able to give them a definitive answer about what information the alleged offender had access to or disclosed to third parties,” Turner said.
The security analyst said the two security providers need to “urgently get in touch with clients and give them information and advice; specifically on any steps the clients should take to protect themselves.”
He expects several Australian CIOs will be called in for board level briefings to explain potential exposure and implications.
“These CIOs should be taking the view that they are currently exposed,” he said.
“When you put security out to a third party, you are putting your trust in them,” noted Graham Ingram, an IT security veteran and general manager at AusCERT.
“Ultimately – you need due diligence to quantify that trust.”
Lessons for security vendors
Tenable Network Security has insisted that the alleged hacker was never an employee of its firm.
Matt Flannery is not and has never been an employee of Tenable Network Security.
— Tenable Security (@TenableSecurity) April 24, 2013
But industry commentators note that ultimately such a defensive response is a distraction from a more pressing issue. The alleged hacker worked for Tenable’s customers under Tenable’s arrangement with Content Security. The Tenable brand, whether they like it or not, becomes tarnished.
“Hopefully after this incident, large international companies will think twice about who they take on as third party resellers or support staff,” noted Chris Gatford, director of Australian pen testing firm, Hacklabs.
The broader InfoSec community
The InfoSec community is already reeling from a number of unfortunate events in which IT security professionals have been charged over efforts to disclose vulnerabilities.
Action brought against Patrick Webster or Andrew Auernheimer are two examples of where the line between responsible disclosure and law enforcement’s definition of “hacking” is blurred.
Few doubt however, that the hacks the Content Security engineer was charged with had any merit – and the last thing Australia’s InfoSec community needed was a scandal.
The main lesson for the InfoSec community, Gatford said, was that organisations need to do more due diligence over who they contract or hire.
“Its very clear in this case – regardless of whether the alleged hacking incidents even occurred – that Content Security didn’t do good due diligence on hiring its staff,” Gatford said.
“You only need to spend ten minutes Googling Matthew Flannery to find his Aush0k identity.”
Ingram speculates that such a hire might come down to a dire shortage of IT security talent available to choose from.
Top-notch security professionals boasting skills and experience are poached and traded amongst Australia’s largest organisations, he said. Simulatenously, no new white hats are being trained as few organisations are willing to hire an IT security manager with less than five years experience at that level. Ingram concedes it is a “massive issue” for his industry.
“And as a result, some organisations are being lured into the trap of thinking that if they can’t get a top notch security guy – a few grey hats might do.
“What we’ve seen this week is a possible outcome - which is not acceptable.”
“You can’t be a black hat one day, and say the next day you’re here to use that knowledge and experience for the good of an organisation. Trust is earned, it’s not a label you put on your front door.”
What is the best practice approach to background checks on staff? Read on for more...
.jpg&h=140&w=231&c=1&s=0)
