Large security vendor suffers breach
It’s been reported that RSA Security has been attacked, with the result being “certain information… being extracted.” Had you heard about this? I was alerted to it through my Google Alerts.
As a slight aside: I highly recommend the alerts – they deliver news and articles to you according to interests you specify, such as “Data Breach,” “Cyber Attack,” “Information Security,” and so on… or perhaps “Cloud Computing,” “Web 2.0.” You get the idea. Of course, “celebrity gossip” serves some too. But I use it for career purposes and general professional knowledge.
Back to the attack: RSA Security is a division of EMC2. EMC2 has many contracts with our federal government, for many tens of millions of dollars, for their SecurID system. SecurID generates a token which, used in combination with a password and user ID, grants secure (well…) access to systems at various government agencies.
These agencies include the Social Security Administration, the Department of Defense, and many others – it doesn’t get much bigger than this.
At present there is no data loss being reported (that is, customer or individuals’ data); however, it’s thought that the “extracted” information may grant a successful attack later – presumably with the further breach of critical content.
Art Coviello, RSA Executive Chairman, said: “We do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.”
Hmmm… “We do not believe…”. Would those words reassure you if a solutions partner, a security partner, gave them to you in a similar situation?
SecureID is not only in use at government agencies. A leading Fortune500 chief security officer has been quoted, albeit namelessly: His company processes transactions worldwide for payrolls – and they use SecurID. He states that RSA provided details, within minutes, on how the breach occurred so that they could defend against possible attack.
Within minutes? Color me skeptical on that one. :^ ) Oh. Perhaps they mean 180 minutes, 240 minutes – something like that.
In today’s environment, where the big dogs themselves are within risks that manifest, what should you do? Learn how to spot signs of breach or malfeasance in your environment. Put in the products and ally the security solutions partners that make you most comfortable. But, don’t lean totally into vendors, solutions, and solutions partners.
You have to also stand on your own in actively surveying for risk and possible incursions.