Invisible Breach

There was a worm called Code Red. Named not after the energy drink but after the Mountain Dew Code Red the analysts were chugging through the all-nighter when they found it. In 2001 it exploited a vulnerability in IIS and spread across the world.

Security back then was visible. CGI permissions set to 777, writable by anyone. .htaccess not applied. Directory listing enabled, files exposed for all to see. The damage was visible too. Files defaced. You looked, you knew.

Now you look and know nothing.

One sharing toggle in Google Docs and an internal document goes public worldwide. A misconfigured S3 bucket policy leaks customer data. Not an attack. A configuration error. The perimeter dissolved. Where it blurs, tracing the source of leaks gets harder.

Logs cannot be trusted either. An intruder rewrites the log and the trail vanishes. O'Reilly's Practical UNIX Security recommended printing logs to a physical printer in real time. Paper cannot be tampered with remotely. It reads like a joke now. They were dead serious then.

As applications matured, logs became structured, output as JSON. CloudWatch, Datadog, Splunk. Aggregate, search, visualize. None of it matters if you do not know what to look for. Recognizing the abnormal requires knowing the normal first.

The breaches that make the news are the obvious ones. Stolen data listed for sale. Services taken down. Ransom demanded. How many organizations are being quietly, persistently drained of information without ever noticing? No one knows.

They got in. You never knew. That is the scariest part.