You'll get hacked, too. Get over it.

This week's shocking revelation is courtesy of Verisign - they were hacked in 2010. Gasp! You don't say! HACKED?! Yes, the company admitted that they were the target of numerous attacks in 2010, some of which were apparently successful. According to the company, none of the servers that support DNS or other critical Internet services were breached, so that's some consolation, at least. There are a few key points to take away from this story:

• First, we don't know why they delayed the disclosure of the breaches. Most in the security community feel in their gut that there's something amiss there.
• Second, we don't have much detail on what happened, technically or otherwise.
• Third, who cares? [Yawn]

Surely I can't be serious about my last point there? The outrage! Really, folks, I am. No, I'm not growing desensitized to breaches. Far from it - I care just as much as any other responsible security professional. However, making a big deal out of this - making news out of this, is not going to solve anything at all.

We've become sensationalists in security. People need something to talk about, I suppose, and we continually need more fodder for those "The Breaches Are [Getting Worse] | [Continuing] | [Adapting]" slides we all throw up in presentations to convince everybody else, both in and out of our industry, that the problem is serious. But, as I mentioned in a blog on my personal site entitled "Failing Gracefully? Or Just Failing?", getting hacked is something we really need to come to grips with. Notice I didn't say absolve responsibility, because that's not the point. Some breaches are truly due to negligence or a lack of sound security practices. But we're all in this same situation. I have yet to see an unbreachable network or application, and neither have you. Nor will we, probably in our lifetimes.

No, we should really start focusing more on detection and response, my friends. I teach this stuff for SANS, and I enjoy defensive security as much as I love breaking into systems. I see two trends in this industry that are disturbing, though. One, most of the next generation of security folks (the young folks coming out of school and so forth) seem to be almost obsessed with pen testing and hacking...but not defense. Not incident handling, intrusion monitoring, and log analysis, but how they can tweak Metasploit to get a shell. Second, there is an incredible skills gap out there in pretty much every category, but nowhere more so than adequate response and defense. We've got a lot of firewall jockeys, clickety-click GUI "console" minders, and report generators. Too many. What we really need are people with the IT chops to know when they're looking at something abnormal, and then the ability to take the next steps and do something about it. Maybe the team at Verisign didn't have those folks, either. We may never know.

Some other interesting stories from the past week:

• Apple ships a HUGE bundle of patches. Some of them are pretty serious, and I highly recommend patching ASAP if you're a Mac user.
• Adobe's Brad Arkin, while presenting at the Kaspersky Security Summit, claims the company is focused on making exploit development more difficult versus just finding and fixing bugs. Using techniques like Data Execution Prevention, Address Space Layout Randomization, and sandboxing will make reliable exploit development very difficult, according to Arkin. I know Brad, I've presented with him before. Do I agree with him on this one? Maybe. That's a gutsy statement from a company that is the number one target for attackers right now. Time will tell, I guess.
• Eric Parizo over at SearchSecurity has a really interesting article on why you should consider just flat-out banning the installation and use of some third-party apps. Simple - they're risky! Now, extending this to mobile device app stores is another issue to address, and one we'll be talking about this year as part of the IANS research agenda. Stay tuned.
• And, just for fun, the Australian government is apparently just now figuring out that people are usually the weakest link in security. Wow! Welcome to 2002!