Is Your ID Secur[e]? What’s Your Perceived Risk?

There has been much publicity surrounding the reporting of a breach of RSA’s systems in March 2011. However, what is more amazing about the breach is that the subsequent attack on Lockheed Martin appeared to come as a complete surprise to so many. But why else would anyone steal information about RSA SecurID tags if not to break into highly secret systems? The attack on RSA was purportedly planned carefully, likely using insider assistance, and had clear motivation, namely, to access high value systems and abscond with the goods.

OK, so I agree that it’s easy to say that we all should have known in 20/20 hindsight. And one could have taken RSA’s chairman Art Caviello’s letter as reassuring. But now that it has been demonstrated that RSA’s pronouncements as to the likelihood of further compromise were overly optimistic, it’s harder to take the subsequent note from Mr. Caviello to the effect that customers are overreacting. As he put it in Siobhan Gorman and Shara Tibken’s article “SecurIDs Come Under Siege” in the June 7, 2011 Wall Street Journal, “The whole thing has reached a crescendo where customers don’t want to tolerate any level of risk, whether it’s real or perceived.” Real or perceived? Is there still a question as to the reality of the risk?

And now we learn that it could take six to eight months to replace up to 30 to 40 million active tokens in the hands of employees, contractors, and others at some 25,000 customers, according to a June 17, 2011 Wall Street Journal article, “Long Wait for RSA Security Tokens,” by Spenser E. Ante and Shara Tibken. That leaves plenty of time for attackers to “make hay.” I agree with Chris Wysopal, who is quoted in the article, when he wonders what level of risk might apply during this lengthy replacement period … and what customers should do in the mean time.

Post a Comment

Your email is never published nor shared. Required fields are marked *