Take Heed of Lockheed’s Plight

I recall, about a decade ago, Dan Geer presenting to members of the FS-ISAC (Financial Services Information Sharing and Analysis Center) and warning that as security measures strengthened so we put more valuable assets under their protection. Then, if there is a breach of that particular mode of security, the consequences are that much greater. He was speaking about the trend to increase the strength of authentication methods, such as biometrics, and the effect such methods having on individuals’ and organizations’ sense of security. Dan’s wise words stuck in my mind ever since.

And they came to the fore when we learned in March 2011 that hackers had broken into the RSA systems and purportedly could have potentially stolen SecurID details of tens of millions of customers as well as RSA’s secret sauce. Art Coviello, RSA’s executive chairman, posted “an open letter” on the RSA website at http://www.rsa.com/node.aspx?id=3872  in which he described the attack as an APT (Advanced Persistent Threat), as if that might be an excuse for having fallen victim. All too often, senior executives appear to think that if they portray the attackers as really smart and their exploits as highly sophisticated, that somehow exonerates them for having not protected against these attacks.

In any event, Mr. Corviello goes on to say that “we are confident that the information extracted does not enable a successful direct attack on any of our SecurID customers,” although, he admits the “information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”

Post a Comment

Your email is never published nor shared. Required fields are marked *