RSA Breach: What Did We Expect?When We Rely on 20-Year-Old Tech, Breaches Happen
Tom Wills of Javelin Strategy & Research echoes Ranum's sentiment. "Whenever a security company with the stature of RSA takes a hit like this, without doubt, it negatively affects the trust held by customers and the market in general," Wills says. "The hackers, of course, know this, and security companies are their natural targets."
How can we expect to keep up with ever-emerging threats when we continue to rely on dated technology?
Maybe this kind of problem does happen to everyone. But should it? Remember NASDAQ? RSA seems to be just one more giant that's been pulled down by the tethers of persistent hackers.
Since news of the breach hit the wire late last Thursday, my inbox has exploded with reactions. The overarching theme: What did we expect? Hardware and software token technology has been around a long time -- perhaps too long. "The RSA SecurID token was not set by RSA," says Mike Angelinovich, CEO and co-founder of security company OHVA Inc. "It was used long before RSA was even around."
Angelinovich adds: "If we want to really improve online security, then these governing boards, such as the FFIEC, need to release some meat behind their requirements and not just offer guidance. Look at what has happened over the last five years under the FFIEC guidelines: Not much outside of annual record-breaking levels of online theft."
Even Stephen Northcutt of SANS Institute, who's been careful not to jump to conclusions about the RSA breach, says two-factor token technology may need some review. "The FFIEC should work closely with RSA to get good advice, so the guidelines can include information about what additional measures should be implemented to help security, to increase the security of two-factor authentication."
And IT security attorney David Navetta takes the breach as yet another piece of proof that anyone or any technology, for that matter, can be hacked.
SecurID's authentication solution, which is based on standard industry requirements for "something you know," such as a password or PIN, "something you have," like a token, and/or "something you are," like biometrics, is ancient by information security standards.
For that matter, the FFIEC's existing guidance for online authentication has not been updated since 2005. The FFIEC is expected to issue new guidance sometime this year, though it's anyone's guess as to when that might happen. And industry pundits have voiced repeated concerns that the proposed new guidance still misses the mark.
"The regulators' awareness of some of the threats is positive, and what they are trying to do on the business banking side is good," says former Bank of America executive David Shroyer, now a partner at risk assessment provider Fraud Red Team. Shroyer says the FFIEC draft update gives banks more insight about online threats. "But the new guidance is not explicit about antivirus updates and patches, and that's important," he says. "Financial institutions live and die by this guidance."
Others say the bigger issues are: 1. That RSA was hacked, and 2. How RSA responds.
"At this point, we don't know exactly what happened at RSA," Wills says. "Their communications have been carefully wrapped in marketing speak. It's hard to know the pure security impact of what happened. The crux will lie in how RSA recovers from the simple fact that they were breached. If they follow the example of Heartland -- admit the problem and take tangible steps to correct it -- I'm sure they will recover their good reputation."
Josh Corman, research director of enterprise security at analyst firm The 451 Group, says, "The noteworthy thing is it seems scary when the intellectual property of a security firm is targeted. And when attackers are prioritizing and attacking your security infrastructure, it potentially prevents our ability to protect our environment."
It's not the first time an attack on intellectual property has been waged, though it is the first time a security giant like RSA has been breached in this way. "The bar isn't high enough to stave off the attacks," Corman says.
For my part, I wonder what impact the RSA breach will have on the pending guidelines from the FFIEC. My first inclination is to assume very little. But wouldn't it be nice to be proven wrong?
How can we expect to keep up with ever-emerging threats when we continue to rely on dated technology that aims to comply with dated security guidelines and standards? It's a question worth asking, and even more worthy of an answer.