The Public Eye with Eric Chabrow

Verisign Must Reveal More about Breaches

Transparency Will Help Verisign Gain Stakeholder Trust
Verisign Must Reveal More about Breaches

Verisign Inc. may have followed the letter of the law when revealing a series of breaches of its computer systems in 2010 in a filing with the Securities and Exchange Commission last October. But the company that assures the flow of a hefty portion of Internet traffic should have done more to ease the minds of its various constituencies.

See Also: When Every Identity is at Risk, Where Do You Begin?

The company, in its Oct. 28, 2011, SEC filing and a statement issued the night of Feb. 2, said the attacks likely did not target the domain name servers it operates that routes web traffic to .com, .net and other domains [see Verisign Breached Several Times in 2010]. Still, Verisign is such an important company to Internet security - one we all must trust - that it needs to be more forthright in explaining what happened.

Perhaps Verisign has been mute because top leaders at the company didn't learn of the breaches until at least nine months - perhaps longer - after they occurred. According to the SEC filing:

"We experienced security breaches in the corporate network in 2010, which were not sufficiently reported to management. ... at the time they occurred for the purpose of assessing any disclosure requirements. Management was informed of the incident in September 2011 and, following the review, the company's management concluded that our disclosure controls and procedures are effective. However, the company has implemented reporting line and escalation organization changes, procedures and processes to strengthen the company's disclosure controls and procedures in this area."

Questions that Need Answers

Verisign's SEC filing is perplexing in so many ways, and raises additional questions that the company must answer.

How many incidents occurred? "We experienced security breaches," the filing states, but later adds "(m)anagement was informed of the incident."

What's the meaning of the statement that Verisign's "disclosure controls and procedures are effective?" Is this legalese that focuses just on financial disclosure? Is a process effective when senior executives don't learn of significant breaches for months? The executives must have thought the cyberattacks were significant enough to warrant disclosure in an SEC filing. Verisign revealed the breaches in the SEC report because the hacks could have a potential, adverse affect on corporate finances.

Also odd, in one sentence Verisign characterizes the breach reporting process as "effective," and in the next sentence explains that the company implemented a new reporting process. Verisign should and can provide details on the new reporting process without sacrificing security; that would reassure all of its stakeholders.

Verisign also is vague when in 2010 the breaches occurred. This is crucial, because Verisign sold its digital certificate and authentication business to Symantec on Aug. 9, 2010, for nearly $1.3 billion.

Ripple Effect

Mac McMillian, chief executive of CynergisTek Inc., advises corporate clients on IT security and regulatory compliance, and says companies that might have used Verisign authentication wares before the sale need to know if they might have been compromised because it could affect how its customers comply with other regulations such as HIPAA and the HITECH Act.

Verisign hasn't said what information might have been exfiltrated, and added it was unaware if any of the stolen materials have been used: "The [IT] group implemented remedial measures designed to mitigate the attacks and to detect and thwart similar additional attacks. However, given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information. In addition, although the company is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future."

No reassuring words here, however. Verisign's fiduciary responsibility is to paint a bleak picture of the outcome of a breach, even if in the hearts of top executives they don't believe such dire consequences will occur. Simply, they're hedging their bets to protect themselves should a worse-case scenario occur. As the filing states: "If we experience security breaches, we could be exposed to liability and our reputation and business could suffer."

Timeline

On the day of the SEC filing, Oct. 28, Verisign shares soared by 1.45 percent on heavy trading, two to three times higher than normal volume. If traders fretted about the breaches, there was no evidence of that in the value of Verisign stock. A day earlier, Verisign Chief Executive James Bidzos, Interim Chief Financial Officer John Calys and Corporate Treasurer David Ashley briefed stock analysts about the company's third-quarter financial performance in a 40-minute earnings conference call. Verisign furnished the analysts with an online link to a PDF document that provided rosy details on the company's third-quarter financial performance. Neither the executives in the earnings call nor the PDF document mentioned the 2010 breaches. The only mention of a breach in the document was a boilerplate, safe harbor disclosure statement that said such an attack could occur, a declaration most companies make.

On Feb. 2, I sent an e-mail to Verisign seeking answers to some of the questions raised in this blog, but the reply merely reiterated the company's belief that its DNS servers were secure.

In the world of information security, transparency is a popular phrase. Transparency doesn't mean giving away secrets that expose an organization to threats, but being forthright with its various constituencies about how it functions to assure stakeholders it's doing all it can to provide the availability, confidentiality and integrity of its digital assets. In other words, Verisign should be more transparent to assure that it's a company that can be trusted.



About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.