Last week I was pretty proud of myself when I came up with the term “Breach Speed” (See: “When things are moving just a little too quickly . . . the whirlwind of data breaches” ); and I know my colleagues have had to live with me being a little more insufferable than usual , ‘cause every time one of them mentions that they have to give a presentation I’m quick to jump in and remind them to use the term. The back of my brain is thinking “wouldn’t it be cool if this thing went viral?”
But to save you the pain, I’ll try to keep it in check here. And yet this past week saw a whole slew of developments that kept bringing it to the fore.
I guess the whole thing actually started the week before with the revelation from Lockheed Martin that it had suffered an attack. But this week Lockheed directly linked their breach to data that had been stolen earlier this year from security vendor RSA. The risks associated with the March attack against EMC/RSA have been the source of much speculation from the time it first became public – but what I found particularly significant in the story this week was the admission from RSA that they “accepted Lockheed’s findings and were working with customers to offset the risks through other measures.” (See: Stolen Data is Tracked to Hacking at Lockheed).
Now, for RSA’s big customer’s this was probably not new news. But for it to be stated publicly – well, to me that was news.
Part of me (the evil marketing part that doesn’t really have a heart) is just a litte tempted to kick a competitor when they’re down. But the reality is, every company out there is at risk for these sort of attacks. And they’re going to get worse!
The day before the news of Lockheed’s findings were reported publicly, our CEO, Bill Conner, was speaking at the West Virginia Homeland Security Summit & Expo alongside Sen. Jay Rockefeller and Secretary of Homeland Security Janet Napolitano. In his keynote address, Bill discussed the changing global arms race in cybercrime, noting that,
“in the past, cybercrimes against businesses in the United States were used by hackers looking to make a political statement or to gain notoriety within the hacker community. But today, those efforts have been replaced by more sophisticated, sinister and damaging attacks from all over the world. . . and if allowed to go unchecked they will continue to grow, find new ways of proliferating. . . thus finding new targets – both big and small, private and public.”
And as Lockheed Martin was raising the profile on its findings, it was reported that Northrop (another large aerospace contractor) was switching from RSA SecurID tokens to smart cards.
Towards the end of Bill’s address to the Security Summit he mentioned the need to control physical and logical access to facilities, computers, and networks that house important information. And the use of smart cards, as in Northrop’s case, is an ideal, cost-effective method to control access to these resources – and importantly, one that can be used for controlling both physical and logical access.
But in my mind organizations can no longer rely upon a single authenticator to protect access to their resources. As seen with the compromise of SecurID tokens, organizations are at risk if they’re dependent upon a single authenticator – and the smart, sophisticated cybercriminals that Bill referred to in his keynote address are very aware of this. Organizations need a platform that supports multiple authentication methods, and one that enables a quick switch from one method to another if something does happen.
I read another note this week that suggested that there likely won’t be a whole sale dumping by companies of their SecurID tokens – and even Lockheed has indicated that it planned to continue using the SecurID tokens. But clearly companies are considering their options (See: Stolen Data is Tracked to Hacking at Lockheed).
And for those that have done the risk assessment and are looking beyond their current inventory of SecurID tokens – or even those that rely upon another single authenticator product – consider a more versatile platform:
- one that supports multiple authentication mechanisms,
- provides flexibility to tailor the authenticator to the type of transaction and user,
- can adapt authentication to changing market requirements, and
- provides flexibility if the primary authentication mechanism does get compromised.
There was a time when you weren’t likely to get fired for buying SecurID. But just try telling your boss that you’ve had to switch out your authentication platform a second time and you’re not likely to get another invite to the annual summer picnic.