Google “RSA hack” and you'll find a litany of news items, tweets and opinions about the spear phishing attack that exploited an Adobe Flash zero-day vulnerability to steal SecurID-related intellectual property. Is all this discussion overkill?We're talking about RSA here. It is one of the most well-respected names in the information security marketplace. This is a company that launched the careers of some of today's leading security minds, saw a gathering of cryptographers in a small hotel boardroom turn into a still-thriving industry conference (though the event is now operated separately from the vendor), and became an independent division of an even larger corporation, EMC.
So, it is in this history that media coverage and industry chatter is fully warranted. The banter also is well-rooted in what many deem to have been a questionable response to both the public and customers. After an initial open letter from Art Coviello discussing the compromise, a few more details have been released about the attack. More recently, RSA reportedly approached executives from some larger customers to whom they offered to provide more facts about the attack to help them mitigate against worst-case scenarios. However, to hear the particulars, enterprise reps must sign a non-disclosure agreement. This has some suspicious customers researching solutions that eventually may replace SecurID shops. Others are still biding their time as they have yet to see compromises.Undoubtedly, this event will reap more news coverage in the future. Even now, some pros once affiliated with RSA in some form or another have informed me that this breach is no surprise to them, as the infrastructure of the security company – despite its business – was rather porous.
In marking its milestones in IT security history, RSA has become a longstanding organization whose two-factor authentication solutions have been around for even longer. That cybercriminals targeted critical information about these tokens to undermine the very security the devices are supposed to offer should be of no surprise to anyone, really – porous network or not.A little ironic? Sure. But, it is more a question of who has got the backs of the security players who are supposed to have their customers' backs? If the RSA incident is an example, it looks to be the bad guys.