It was the best of cybercrimes; it was also the worst. The LulzSecurity group (LulzSec) quickly became one of the most dramaticcyber-crime waves that we have seen to date. This small group ofblackhats captured the media's attention with their hacking rampagethat lasted for nearly two months.

For now, the LulzSec group claims to be off the air. In itswake, the authorities are working diligently to track down theindividuals behind the attacks on international corporations suchas Sony, the U.S. government (the CIA and the Senate), and asmattering of other websites.

Let's set aside the tempting David vs. Goliath angle of theLulzSec case. The fact is, after all the classes, training,patching, testing, perimeters and articles, these guys got in. Theymight not have made big money from such antics, but chances arethat the next round of cyber attacks could cut much deeper.

While the LulzSec attacks were astonishingly quick and highprofile, they are simply the latest in a series of grand cyberattacks. In previous months we found ourselves occupied by the RSAbreach, attacks against PKI vendors, and the escapades of JulianAssange on WikiLeaks. After this string of malicious activity,people are really starting to question their confidence insecurity.

Could this be a healthy thing? Could we learn something fromthese very unfortunate events?

The Odds

Responses to the LulzSec attacks have been all over the map.Some organizations are on high alert; others are mindfully watchingand evaluating the threat landscape. A smaller number remainsunconcerned, since they still believe the likelihood of beingtargeted is very low. Could they be right?

While attending a recent security conference, a panel ofspeakers fielded an open-ended question – “Are securityprofessionals winning the war against cyber attacks?”

One panelist responded with a telling point: “In order to win,we need to be perfect. For a malicious party to win, he needs onlyto exploit one mistake.”

This truly illustrates the challenges that we securityprofessionals face every day, night, weekend and holiday.Over-confidence and unfounded optimism could have a steep price,because the odds are stacked against us.

Dealing with Reality

Closing our eyes and telling ourselves that we'll never beattacked simply doesn't work as a countermeasure. To better protectourselves from an attack, we must first accept that cyber criminalswill eventually attempt to break in.

Once we have accepted that, the question becomes: Will thecriminals find a vulnerability and successfully exploit it? If theanswer is yes, then what data could be exposed and how could thecriminals escalate the attack and gain access to other sensitiveresources? That's the beginning of a true “defense-in-depth”strategy for countering these risks.

Defense-in-depth isn't a single action, but rather a series oftechnical and administrative layers designed to prevent attacks andto contain the damage should an attack occur. Defense-in-depthstarts with the technical countermeasures that we all immediatelythink of – firewalls, intrusion prevention systems, proxyappliances, virus scanners, etc. However, it must also encompassother layers of protection such as:

• A good software patch management process
• Device configuration review
• Strong security policies
• User education
• Code review for home-grown apps
• Application security reviews
• Auditing and alerting mechanisms

By taking a multi-faceted defense-in-depth approach, we cangreatly reduce the potential for compromise and continue to protectour systems and data. It's about as close as we can get to our goalof perfection in a very imperfect and sometimes scary world.

Matt Lidestrimanages Internet security and products for COCC, an IT outsourcingand support firm serving credit unions and community banks in Avon,Conn.