RSA released a statement on its website detailing an online attack which had resulted in “certain information being extracted from RSA’s systems”.
“While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”
I’m impressed and scared that RSA has categorized the threat as APT (which I think should be called OPT, Organized Persistent Threat). Impressed that they are being upfront on a matter such as this because admitting to APT strong suggests penetration has been ongoing and scared because it’s RSA and the implication for organizations that use RSA’s two factor authentication products.
Schneier’s take, in part:
RSA Data Security, Inc. is probably pretty screwed if SecurID is compromised. Those hardware tokens have no upgrade path, and would have to be replaced. How many of the company’s customers will replace them with competitors’ tokens. Probably a bunch. Hence, it’s in RSA’s best interest for their customers to forget this incident as quickly as possible.
There seems to be two likely scenarios if the attackers have compromised SecurID. One, they are a sophisticated organization who wants the information for a specific purpose. The attackers actually are on RSA’s side in the public-relations spin, and we’re unlikely to see widespread use of this information. Or two, they stole the stuff for conventional criminal purposes and will sell it. In that case, we’re likely to know pretty quickly.
As always, the comments on Schneier’s blog are often quite interesting.
For those of you on LinkedIn, there is a fascinating debate about the possible implications of the attack in Stewart’s Security Forum (membership in the Forum required to access the discussion), which has spilled over into a debate about how secure biometric authentication is. As an aside, one of the aspects that I love about technology and the law, particularly in the privacy and security field, is extraordinary intelligence of many of actors. In a field that is evolving daily, it takes tremendous energy and intellect to be at the top of the game. I have to say that I am very luck to work with such extraordinary people across the field.
The press release is pretty vague and tries to send the message that all is well. RSA is no doubt trying to do damage control and keep its business from taking too large of a hit. Organzations must do their own assessment of the risk and demand adequate information from RSA to make an informed decision of the risk and the countermeasures that need to be deployed.
I am reminded of an incident where I was notified by a very large vendor (a data control in its own right) that notified me of a large breach that only affected 10 of my customers. Upon reading the reports in the paper, I realized that the information released increased the risk of another type of attack that vendor had not considered. I recontacted the vendor and asked for the data necessary to complete my risk analysis. After review, although the risk remained low, we determined that over 150,000 of our customers were put at risk from the incident. There are two lessons from this: (1) the organization will always seek to minimize damage to their organization, and (2) do your own independent investigation and risk assessment.
The fact is, incidents happen. When they do, by being an honest broker of the truth and working with customer to remedy the situation, you can minimize the business impact and, dare I say, strengthen the customer relationship in the long run. Everyone in this field knows incidents happen. While none of us will continue to do business with a vendor when shoddy practices come to light, I’ll go out on a limb and say RSA is probably not one for shoddy practices (though I am sure they are not perfect). If a vendor is honest, then I am more likely to stay with them. I can go to another vendor, but all things being equal, I now at least know that the vendor will inform me when there is an incident and work with me to resolve it. If I jump to another vendor, then I don’t know if the new vendor will be as forth coming, particularly as they now know I will dump them if there is a problem.
That may seem a little counter intuitive, but all things being equal, if nothing else is uncovered in the investigation, staying with the vendor is a consideration. I am reminded of one other story as well. In law school, during one of my placements, I had a fantastic manager. She was called to interview a person after a rather serious incident. I tagged along to take notes and do some liability related research based on the facts afterward. After the meeting, made an off the cuff comment to my manager that the person was likely to be fired. Her response was, “Why would I want to fire here. She made the wrong call, but she did try to think it through before making the decision. Although she was clearly wrong, she understands why and she sure has hell isn’t going to make the same mistake again. Why would I want to have to hire someone new and hope they don’t make the same mistake.”
The analogy works with vendors as well.