Take Heed of Lockheed’s Plight (Update as of 6/7/2011)

Note:  Due to breaking news concerning the Lockheed breach, this article—originally published on Monday, June 6—has been updated.

Update: According to an article in the June 4, 2011 New York Times by Christopher Drew with the title “Stolen Data Is Tracked to Hacking at Lockheed,” Lockheed Martin confirmed the prior day (June 3) that the hackers, who breached its networks, did so “partly [emphasis added] using data stolen from a vendor [RSA].” Does this call for a retraction and restatement by Mr. Corviello?

I recall, about a decade ago, Dan Geer presenting to members of the FS-ISAC (Financial Services Information Sharing and Analysis Center) and warning that as security measures strengthened so we put more valuable assets under their protection. Then, if there is a breach of that particular mode of security, the consequences are that much greater. He was speaking about the trend to increase the strength of authentication methods, such as by using biometrics, and the effect such methods have on individuals’ and organizations’ sense of security. Dan’s wise words have stuck in my mind ever since.

And they came to the fore when we learned in March 2011 that hackers had broken into the RSA systems and purportedly stole SecurID details of potentially tens of millions of users as well as RSA’s secret sauce. Art Coviello, RSA’s executive chairman, posted “an open letter” on the RSA website at http://www.rsa.com/node.aspx?id=3872  in which he described the attack as an APT (Advanced Persistent Threat) as if that might be an excuse for having fallen victim. All too often, senior executives appear to think that if they portray the attackers as really smart and their exploits as highly sophisticated, that somehow exonerates them for having not protected against these attacks.

Post a Comment

Your email is never published nor shared. Required fields are marked *