We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Lesson from SecurID breach: Don't trust your security vendor

During the holiday weekend, defense contractor Lockheed Martin confirmed what had been swirling in speculation for a number of days -- that it was hit by a significant cyber-attack.

Days later, news reports broke claiming that defense firm L-3 Communications had also been targeted in considerable cyberattacks.

In both attacks, confidential information about the workings of RSA Security's SecurID products have reportedly been central to the attacks, which fell on the heels of many other recent and high-profile attacks, such as those that hit Sony's PlayStation Network, HBGary and NASDAQ's Directors Desk web software used by Fortune 500 companies.

The question remains: What do these attacks mean for the typical CISO working to keep their corporate infrastructure secure? "Not a whole lot," argues Mike Rothman, an analyst with the security research firm Securosis. "If it's their SecurIDs that they are concerned about, they probably have bigger problems. If you are expecting one particular control to keep the bad guys out, you are probably more stupid than you are naive."

He adds: "You have to have depth of defenses. You have to monitor and segment your network traffic, and perform all of the other security controls we talk about all of the time."

Pete Lindstrom, research director at Spire Security, agrees. "These recent attacks mean mostly nothing to the typical enterprise," he says. "If you are a SecurID customer, you should be in touch with RSA Security to see what the extent of your risk may be. But I'm not convinced that a strong link has been established between the contractor attacks and the RSA breach. There is a lot of jumping to conclusions going on here."

That may be so, however the lack of transparency from RSA Security hasn't helped to stem any concern. CSOonline reached a number of RSA SecurID customers this week, but they couldn't discuss what exactly RSA has revealed to them about the nature of the breach because of signed non-disclosure agreements.

While the breaches don't change how most enterprises should defend themselves, it does send a number of messages to the marketplace -- and act as a warning to those operating within the critical infrastructures, says Vik Phatak, CTO at NSS Labs. "Don't trust your security vendor. That is the over-riding message. When their financial interests differ from yours -- don't trust them," he says. "By not being more transparent with what actually was stolen, they are dictating to their customers what their acceptable level of risk is."

"If you are a CIO, you have to assume that the product is flawed or compromised, and you have to look at finding a plan B for authentication," Phatak says.

Some industries may have less time than others to develop that plan, he says. "Now that the attackers have shown their hand, and that they are attacking companies associated with the critical infrastructure, you have to assume that they are going to move through their list of targets as quickly as possible. They know that they have a limited amount of time before companies protect themselves from this," he says. "That creates a lot of urgency for everyone in those industries. The clock is ticking for them."

For everyone else, not much has changed.

George V. Hulme writes about security, technology, and business from his home in Minneapolis, Minnesota. You can also find him on Twitter as @georgevhulme.

Read more about network security in CSOonline's Network Security section.

IDG UK Sites

LG G4 Note UK release date and specification rumours: Samsung Galaxy Note 5 killer could be the LG 3......

IDG UK Sites

In defence of BlackBerrys

IDG UK Sites

Why we should reserve judgement on Apple ditching Helvetica in OS X/iOS for the Apple Watch's San...

IDG UK Sites

Retina 3.3GHz iMac 27in preview: Apple cuts £400 off Retina iMac with new model