In the wake of the incident, I received an email from database-security vendor Secerno, whose founder and CTO Steve Moyle, laid the blame on today's recession-inspired, resource-constrained environment.
What many are likely asking is how this breach could have happened and gone on for such an extended period after the lessons of Heartland [the infamous January, 2009 credit-card breach]," said Moyle. "The reality is that many enterprises are behind in security protection efforts, such as Anti-Virus updates, due to shrinking IT budgets. In a recent webinar offered by Forrester and Secerno, Forrester revealed that 60 percent of enterprises are behind in implementing security patches, which is consistent with what we are seeing in the field. The IT departments simply do not have the resources to complete these updates in a timely fashion, resulting in network vulnerabilities that are easily exploited."
I don't doubt there's a lot of truth in this, but it's not the whole truth. It's possible that there's an element of security experts fighting yesterday's war. E-commerce hacking, while not new, appears to be the current hot spot in the security world.
As Moyle puts it: "What happened at Network Solutions can be considered a primer to the MO of this generation of hackers: Malware was planted on locations with access to credit card and other financial data, with the data grabbed and sent to a location off the Network Solutions network."
So maybe the answer is a more agile approach to security. I've written previously about some of this stuff (see my old InformationWeek posts "8 Dirty Secrets Of The Security Industry" and "Is 'Good Enough Security' Good Enough?"), including an overreliance on audits and methodologies which worked well for the N-1 threat.
