“Today I’m happy not to have an RSA Conference badge on me;” Mikko Hypponen, head researcher of Finnish security company F-Secure told the inaugural TrustyCon conference in San Francisco yesterday.
Hypponen was referring to what was one of the world’s most prestigious information security conferences hosted by industry vendor RSA.
RSA are known to many corporate computer users for their SecurID authentication tags; the little key fobs that give a passcode for secure networks that illustrate this post.
Sadly for RSA’s users those tags were compromised in 2010 and the company did its best to obscure, if not downright hide, the problem both from the industry and its customers.
However the killer blow for RSA’s reputation was an article in Reuters at the end of last year claiming the US National Security Agency had paid the company $10 million to weaken its security protocols.
The company denies this but the damage was done, as Hypponen says “When a security company can’t be trusted, what do they have left?”
How the RSA lost the trust of security professionals is a good lesson for all of us; our businesses rely upon the goodwill of our customers and our peers. If we betray their trust, we’re hurting ourselves.
Your assertion: “Sadly for RSA’s users those tags were compromised in 2010 and the company did its best to obscure, if not downright hide, the problem both from the industry and its customers…” is not accurate. For one thing, the attack on RSA happened in March 2011, not 2010. Also, contrary to your assertion, RSA worked extensively with its customers following the 2011 breach to communicate and mitigate potential risks of follow-on attacks. We’re talking thousands of meetings and calls with our customers in the immediate months following the attack. We believe this is a major reason why Lockheed-Martin was able to repel an attacker that may have tried to breach the firm’s network using information about SecurID that was stolen in the attack on RSA. And why there has been no other reported successful attacks on RSA SecurID customers using this information since that time. RSA didn’t try to “hide the problem from industry and customers” – it issued multiple public communications including two very public letters from our Executive Chairman and a detailed blog describing the attack itself. It also held multiple events with customers and industry experts calling attention to the type of APT attacks that were carried out in the RSA attack. In effect, RSA rained down attention on itself to inform the industry of what it had endured. And a few months after the initial attack, when an attempted, yet unsuccessful attack on one of its customers – Lockheed-Martin – had occurred, RSA offered all of its customers the option of token replacements. Only a small number of RSA SID customers – out of the 30,000+ – took us up on that offer.