Attendees at last week’s ShmooCon security conference were transfixed when news broke that a hacker breached part of Kaspersky Lab’s U.S. support site by exploiting a flaw in the site’s programming. Looking around the conference hall in Washington D.C., I could see large groups of people staring at the news on their mobile phones and expressing a variety of opinions. The incident was small compared to security breaches suffered by the likes of TJX and Heartland Payment Systems. But it was a big deal to the security practitioners at the conference because Kaspersky is a security vendor, entrusted by its customers to keep this sort of thing from happening to them. Confidence in security vendors was shaken further when F-Secure admitted days later that its site had been the victim of a SQL injection attack. Both vendors deserve credit for their candor. Kaspersky Senior Research Engineer Roel Schouwenberg put it bluntly: “This is not good for any company, and especially a company dealing with security,” he said. “This should not have happened, and we are now doing everything within our power to do the forensics on this case and to prevent this from ever happening again.” David Frazer, director of technology services for F-Secure’s North American division, admitted it’s embarrassing when a security company suffers a breach, no matter the size. The honesty is appreciated, but they should be embarrassed. When security is your company’s business, even the smallest breach is worthy of scorn. If you can’t keep the bad guys out of your own database, how can customers reasonably expect that you’ll keep theirs safe? Of course, no company is 100 percent immune from attack, even the security vendors. The key is for the vendor to be up front about that reality when the customer signs on from the outset. Kaspersky and F-Secure have solid reputations in the industry and will get through this. The hope is that other security vendors take careful study of what happened and plan accordingly. That means doing a double take at their own internal security, and being honest with customers that like everyone else, they too are at risk. About FUD Watch: Senior Editor Bill Brenner scours the Internet in search of FUD – overhyped security threats that ultimately have little impact on a CSO’s daily routine. The goal: help security decision makers separate the hot air from genuine action items. To point us toward the industry’s most egregious FUD, send an e-mail to bbrenner@cxo.com. Related content opinion Preparing for the post-quantum cryptography environment today It’s a mistake to put off the creation of precautions against quantum threats, no matter how far in the future you might think quantum computing will become a reality. By Christopher Burgess Sep 26, 2023 5 mins CSO and CISO CSO and CISO CSO and CISO news analysis DHS unveils one common platform for reporting cyber incidents Ahead of CISA cyber incident reporting regulations, DHS issued a report on harmonizing 52 cyber incident reporting requirements, presenting a model common reporting platform that could encompass them all. By Cynthia Brumfield Sep 25, 2023 10 mins Regulation Government Incident Response news Chinese state actors behind espionage attacks on Southeast Asian government The distinct groups of activities formed three different clusters, each attributed to a specific APT group. By Shweta Sharma Sep 25, 2023 4 mins Advanced Persistent Threats Cyberattacks feature How to pick the best endpoint detection and response solution EDR software has emerged as one of the preeminent tools in the CISO’s arsenal. Here’s what to look for and what to avoid when choosing EDR software. By Linda Rosencrance Sep 25, 2023 10 mins Intrusion Detection Software Security Monitoring Software Data and Information Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe