Q&A: Symantec’s CISO on the source code hack

Security firms haven't had an easy year. As RSA chairman Art Coviello said earlier this week at RSA 2012, vendors have been "going through hell."

Suppliers, certificate authorities and other tech companies have been battered by hackers. Symantec, the world's biggest security firm, has not escaped the attention of cyber criminals.

pcAnywhere customers know that more than anyone. They were told to disable their remote access software after hackers started taunting Symantec about the pcAnywhere source code they had acquired in 2006.

We caught up with Symantec's chief information security officer Patricia Titus, who only started four months ago, to talk about the situation and the aftermath.

Earlier this week, Art Coviello said the security industry had a horrible year. Have you seen any spikes in attacks on yourself?

Yes. It has been so targeted. I was talking to the CISO of Sony today and we were saying it goes in waves. You get that bullseye painted on you and then it is constantly hitting the front door and looking for any little area to exploit.

Did you have any spike in activity after the pcAnywhere revelations?

Yeah we did. We saw for about a two to three week period afterward there was a spike.

What happens is the media brings it up and everybody in town, all the little script kiddies and everybody who has nothing to do with their time says hey, let's go and get Symantec.' So the probes start and you're getting constant port scanning.

Coviello has also talked about de-investing in old, traditional technologies. Do you think it is dangerous that people might take this as a hint to ditch firewalls?

It's all still part of that defence in depth strategy. It's not a sexy term anymore, it used to be a great term, defence in depth.

You know what is critical to your organisation and if you don't you probably aren't in the right job.

But the bottom line is we still need those perimeters around the right data types. The problem has been people seeing the network as flat, the data all the same and you can't keep up with the investment.

There is a methodical approach to categorising your data and applying the security controls commensurate with the data level. So instead of treating all your data like it is mission critical, and having firewalls and IDS sensors and PKI and cameras and guns and badges - the whole nine yards - you can start to say this is low assurance data.

I would argue that you know what is critical to your organisation and if you don't you probably aren't in the right job. What's important to Symantec? What's the keys to our kingdom? Intellectual property.

If I were to target one system I would look at my IP depositories. I am looking at our IP. In fact, we're going back and looking at all previous events that took place.

Has that been inspired by the pcAnywhere source code leak?

It would have been inspired anyway just based on the categorisation exercise that we're going to go through in the company.

We've already started to look at our applications because we've merged with a lot of companies. We've acquired a lot of applications, a lot of databases, structured and unstructured data. We need to figure out who owns it.