The RSA Breach, their initial reaction, and their follow-up communication regarding the Lockheed Martin attack (which they are admitting is related to the initial RSA breach) makes us question their priorities.
RSA: More concerned with their revenue than your security?
RSA: More concerned with their revenuethan your security?The RSA Breach, their initial reaction, and their follow-up communication regarding the LockheedMartin attack (which they are admitting is related to the initial RSA breach) makes us question theirpriorities.Revenue and brand come first. Customer security is second.Of course both of these are inter-related: you surely cant build a robust security brand given securityincidents like this and RSAs brand is forever tarnished with this breach.Nonetheless, in the short term RSAs reaction to this incident clearly shows that, while the initial openletter wasnt downright un-factual, it did (apparently) downplay the risk. This and other elementsassociated with this incident question their priorities. Lets have a look at the the first RSA OpenLetter #1 published after the initial breach on RSA and their follow-up RSA Open Letter #2, publishedafter the resulting Lockheed Martin breach. Both letters are from Art Coviello, Executive Chairman ofRSA.Is RSA doing everything it can to protect customers?RSA Open Letter #1: "We took a variety of aggressive measures against the threat to protect ourbusiness and our customers, including further hardening of our IT infrastructure."Really? So RSA provided a critical security component for protecting PII for millions of people as wellas the protection of government and defense secrets and they werent doing everything they couldbefore this incident!?!?! Profit margins for the RSA unit of EMC according to Bloomberg News andMay regulatory filings apparently slipped from 67.6% to 54.1% due to costs associated with thebreach. Frankly, even 50+% margins arent bad. Could it really be that the RSA unit was kicking outannual profits on the order of hundreds of millions of dollars and they cant find the budget to do"further hardening" of their IT infrastructures until after this incident? If customers really comefirst, I think theyd be investing some profits to do everything they can, before an incident like this."Advanced Persistent Threat" or oops an employee violated security bestpractices. WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM
RSA Open Letter #1: "Our investigation has led us to believe that the attack is in the category of anAdvanced Persistent Threat (APT)."Downplaying their culpability sounds like marketing to me. Was the attack sophisticated? Perhaps.However, most attacks involve a chain of events. Every link in the chain must succeed for an attackerto gain access. This is why we preach that organizations take a holistic view of security and addressthe entire risk profile; break any link (even a minor seemingly benign non-technical vulnerability) inthe chain and the data is insecure. In this case, the entire attack started when an RSA employee in acore security division violated elementary security principles (and likely RSAs own security policy) bydownloading and running an attachment. Even many average non-techy citizens would have thewherewithal to avoid this trick. Perhaps RSA should have been investing some profits into securityawareness training.Lets downplay the impact of the incident.RSA Open Letter #1: While at this time we are confident that the information extracted doesnot enable a successful direct attack on any of our RSA SecurID customers, this informationcould potentially be used to reduce the effectiveness of a current two-factor authenticationimplementation as part of a broader attack.In the first open letter, he qualified the above bolded statement by saying the breach in their systemsdid not enable a direct attack. Whatever that means, I guess it does not preclude attacks in general,which is clarified in his next open letter, after the successful attack against Lockheed Martin:RSA Open Letter #2: on Thursday, June 2, 2011, we were able to confirm that information takenfrom RSA in March had been used as an element of an attempted broader attack onLockheed Martin.If customers come first, I think a more straightforward profile of the true risk would be appropriateup front. My experience is that RSA SecurID customers had become complacent of the risk to theirsystems due to the breach because of what theyd been hearing from RSA. I dont think RSA did theircustomers any favors by fostering this complacency with a sugar-coated view of the impact of thebreach.Well do everything we can for our customers. (except invest in new tokens)RSA Open Letter #1: Our first priority is to ensure the security of our customers and their trust. Weare committed to applying all necessary resources to give our SecurID customers thetools, processes and support they require to strengthen the security of their IT systemsin the face of this incident. WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM
Apparently "applying all the necessary resources" did not mean replacing the customer tokens, whichwould be expensive but effective. Based on that lack of resource commitment RSA seemed to haveput its customer data at risk - along with state secrets and the PII of millions of individuals. Ofcourse, as the customers knowledge of the risk associated with the RSA breach grew - because ofthe Lockheed Martin breach as opposed to RSA guidance - RSA has expanded the definition of "allnecessary resources."RSA Open Letter #2: As a result, we are expanding our security remediation program toreinforce customers trust in RSA SecurID tokens and in their overall security posture. This programwill continue to include the best practices we first detailed to customers in March, and will furtherexpand two offers we feel will help assure our customers confidence: An offer to replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks. An offer to implement risk-based authentication strategies for consumer-focused customers with a large, dispersed user base, typically focused on protecting web-based financial transactions.Let’s give RSA the benefit of the doubt and presume that A) replacing the SecureID tokens will be ano cost solution for the customers and B) that implementing "risk-based authentication strategies"will not be a revenue generator. Assuming this is the case, then its the right approach, but one thatshould have been undertaken at the outset.Revenue vs. Customers.According to Art Coviellos words "Our customers remain our first priority" however, according toRSAs actions it’s not that clear cut. WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM