Some Facts and Conjecture About the VeriSign Data Breach

The web is abuzz with stories about the 2010 data breach that VeriSign reported in its Oct 28, 2011, 10-Q statement. The document devotes a couple of paragraphs to the breach and includes the following:

“In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers. We have investigated and do not believe these attacks breached the servers that support our Domain Name System (‘DNS’) network. Information stored on the compromised corporate systems was exfiltrated.”

VeriSign further explains that its information security team detected and responded to the incident. That in itself isn’t a big deal, as successful attacks occur on regular basis among companies large and small. If this were the full the extent of the situation, it wouldn’t be worth including in as part of the 10-Q filing. SEC disclosure guidelines published in October 2011 state that companies “should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.”

VeriSign’s mention of the breach in 10-Q implies that the incident was significant, probably because of the kind of data that was compromised. This theory is supported by VeriSign highlighting that although it “is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future.”

VeriSign’s disclosure further states that “given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information.”

This description sounds like the company believes they were dealing with an APT-style attack. One of the characteristics of APT incidents is that it is very difficult to remove the adversary’s presence from the corporate network. Such efforts may take years and tend to be very expensive.

There is much conjecture regarding what occurred at VeriSign, given how few details the company released to the public. My hope is that VeriSign will do a better job than RSA did at providing a frank and comprehensive explanation of the affected products or services in a timely manner.

Other articles about the 2010 VeriSign breach from across the web:

From a more general perspective, I suspect we’ll be hearing more about such breaches due to the relatively recent guidelines published on breach reporting by SEC. How many large critical infrastructure haven’t been compromised at this point? How many of them actually know that this has happened?

Lenny Zeltser

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He presently oversees the financial success and expansion of infosec services and SaaS products at NCR. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more