Usually when there's been some kind of major hacking, we get word from security firms like Kaspersky Lab (News - Alert) and the like telling us about how important strong passwords are and how we need to rotate such passwords and other similar tips. But what happens when it's the security firms like Kaspersky Lab that get hacked? That's just what happened Wednesday.
While the Moscow-based Kaspersky Lab was quick to assure its customers that data was safe—reports suggest that the hackers didn't even target the user information, rather focusing on Kaspersky's internal systems and “intellectual property” storage—the fact that the company was successfully hacked at all raises distressing questions. Reports also note that the hole in Kaspersky's systems used to break into the operation in the first place had since been fixed.
Kaspersky Lab also noted that the hackers were “a generation ahead of anything seen,” and apparently focused on methods designed to exploit “zero-day vulnerabilities,” as in finding the things even the developers didn't know had gone wrong. Kaspersky wasn't naming names when it came to who it believed attacked, but suggested that a government was behind it due to the sheer costs of the infrastructure needed to stage such an attack.
But if Kaspersky Lab itself—whose tools are frequently used by companies who want to protect against such a fate—is hacked, then what hope do the rest of us have to remain safe from intrusion? Attacks are happening on a daily basis by some reports, and indeed, word from Verizon (News - Alert) Enterprise Solutions estimates that there were 700 million compromised records from companies worldwide combining to make losses of $400 million total in just 2014. But the picture is likely even worse than that; Verizon Enterprise Solutions' study was reportedly based on 70 organizations that supply data for the study, so the actual losses of the other firms that exist and have suffered losses would likely make those totals soar.
There is, of course, one great point protecting most of us; most hacks are nowhere near this complex or aggressive. Most hacks seen by regular people are simple affairs that can often be turned away with a fairly decent password. The kinds of hackings seen by places like Kaspersky are huge affairs requiring ridiculous amounts of funding to carry off, something that's not going to be done by someone wanting access to a bank account that may contain four to five figures. Essentially, the hope that most of us have is that the return on investment isn't going to be sufficient; sure, if Kaspersky can be broken, anyone can be broken, but look at what it would take. A person could invest in a great security system only to discover that a particularly ambitious thief took a chainsaw to the side of the house.
In a way, none of us are ever safe. But thieves are no different from any other business in one particular point: thieves must be profitable to survive, and no thief will survive long using Kaspersky-grade methods to break into a PayPal (News - Alert) account. So the normal protection methods will likely be proof against the normal attacks, and most of us can sleep soundly at night knowing we probably won't be hacked by a government sufficiently ambitious to attempt to break into an operation like Kaspersky.