Were RSA’s SecurID Security Tokens to blame for Lockheed Martin Hack?

Lots of the publicity around the recent Lockheed Martin hack is pointing the finger in the direction of RSA.

SC Magazine have an interesting summary of the situation but the best bit is towards the end:

[Steve Watts, co-founder of SecurEnvoy] said: “The RSA Security breach occurred in mid-March, which has given its users more than two months to review their reliance on RSA Security’s technology on their systems. So the question here is: what has Lockheed Martin’s IT department been doing for the last ten weeks?

“That entire affair should have triggered alarm bells ringing in any corporate IT security office, especially given RSA’s deafening silence at the time. For Lockheed Martin’s IT security managers to blame an apparent successful incursion into their systems on a ten-week old widely-reported breach of one of their key IT suppliers is diverting publicity from its own security process failings.”

This is quite an important point. When the news of RSA’s breach became public knowledge, any organisation using the tokens should have been doing a review of their security processes to see if it could affect them and, if so, how badly it would hit.

It is imperative for any size organisation to keep ahead of security developments regarding the technology you use and when something does break you absolutely must convene a risk management group to determine your response. Even with an organisation the size of Lockheed Martin, 10 weeks is long enough to plan and implement a security risk mitigation strategy.

RSA shouldn’t be let off the hook here either. While they cant be blamed for wanting to minimise their reputational damage, their reluctance to admit to the scale of their system compromise has pretty much ensured that some of their customers will suffer the pain as well. A big player like RSA might get away with it, but realistically, it is a fair bet that there will be angry customers now who have no intention of remaining with their authentication system.

Bringing this sort of event closer to home – a big brand like RSA or Lockheed Martin can survive this sort of damage (even if only just), where the costs can potentially spiral into $millions, but for the small to medium enterprise are things so easy? In Lockheed Martin’s case, it really is a situation where an ounce of prevention would have saved a pound of cure.

Taz Wake - Halkyn Security

Certified Information Systems Security Professional with over 19 years experience providing in-depth security risk management advice to government and private sector organisations. Experienced in assessing risks, and producing mitigation plans, worldwide in both peaceful areas and war zones. Additionally, direct experience carrying out investigations into security lapses, producing evidential standard reports and conducting detailed interviews to ascertain the details of the incident. Has a detailed understanding of the Security Policy Framework (SPF) and JSP440, as well as in depth expertise in producing cost-effective solutions in accordance with legislative and regulatory guidelines. Experienced in accrediting establishments and networks as well as project managing the development of secure, compliant, workable business processes.