On Superbowl Sunday, HBGary CTO Greg Hoglund found himself locked out of his own e-mail account. As has since been widely reported in the media, the hacking group Anonymous leaked thousands of e-mail messages from the accounts of Hoglund and HBGary Federal's CEO Aaron Barr, chastising the company in a public statement. In this excerpt of an interview with CSO correspondent Robert Lemos, Hoglund admits that the company made many mistakes in defending its data, but refutes some of the details of the hack and highlights lessons that other companies should take to heart.
You've said that much of the information in the media about the hack is wrong. What happened?Hoglund: They didn't get anywhere close to our network. As far as I could tell, they were not even aware of its existence. They may have become aware of it by reading the e-mails later but that was well after the fact. They only got access to our e-mail spool, which was hosted at Google, and its cloud based e-mail service. And they got access via a stolen password, so they were able to log in. There was really no "hack" involved; it was a stolen credential. (Editor's note: They also had some access to the company's hosted Web site and Barr's Twitter account.)
You were on the phone with Google as Anonymous was stealing your data?Yes, I was trying to get Google to shut the site down. Google was trying to get me to put a file on my Web site (to authenticate my identity). You see the chicken-and-egg problem there. (HBGary had pulled its site down.)
Anyone with a cloud-based service needs to have an SLA (software license agreement) in the contract that says there is a priority, security hotline so that when there is a security event you have priority support, rather than what happened to me, which is that I got round-robinned to what appeared to be a call center in India. And I'm waiting on the phone and I can't do the technical magic tricks, jumping through the hoops that Google wanted me to jump through, to get them to listen to me. It took me forever to get technical staff on the phone on Sunday afternoon, so they could make the necessary changes so that Google would even start talking to me. And meanwhile, they are downloading my e-mail spool.
I would warn any CISO who is considering cloud in their future to make sure that never happens to them, and that is a contractual thing in the service level agreement.
What other suggestions do you have for companies?Set an e-mail retention policy and don't store your entire e-mail archive in the cloud. You can store it locally somewhere in the corporate environment, so you can still access it for doing your daily work, looking up data as well as for e-discovery purposes, but it shouldn't be stored in an accessible location out in the cloud.
Second, enable two-factor authentication. Anything that requires a log-in should be enabled for two-factor authentication. If I had enabled two-factor authentication for Google apps that I had HBGary subscribed to, then these hackers from Anonymous would not have been able to log in.
It was a newly available option, but we hadn't enabled it. The cost of two-factor authentication is significantly lower today than it has been in the past. It doesn't cost much, so anybody using the cloud should enable two factor, it it's an option. If they have any services on the road, such as sales people or technical people, they should have two-factor authentication.
Another thing they should do is configure IP restriction on any administration of the site. So, you should only have one administrator account and it should be IP restricted to a single location. And then if you have a compromise, you don't have to worry about someone getting access to the administrative parts of the cloud services.
Read more about cloud security in CSOonline's Cloud Security section.