Lesson from SecurID breach: 'Don't trust your security vendor'

What does a rash of attacks seemingly stemming from the RSA SecurID breach mean to most enterprises? That depends, experts say.

During the holiday weekend, defense contractor Lockheed Martin confirmed what had been swirling in speculation for a number of days -- that it was hit by a significant cyber-attack.

Days later, news reports broke claiming that defense firm L-3 Communications had also been targeted in considerable cyberattacks.

In both attacks, confidential information about the workings of RSA Security's SecurID products have reportedly been central to the attacks, which fell on the heels of many other recent and high-profile attacks, such as those that hit Sony's PlayStation Network, HBGary and NASDAQ's Directors Desk web software used by Fortune 500 companies.

The question remains: What do these attacks mean for the typical CISO working to keep their corporate infrastructure secure? "Not a whole lot," argues Mike Rothman, an analyst with the security research firm Securosis. "If it's their SecurIDs that they are concerned about, they probably have bigger problems. If you are expecting one particular control to keep the bad guys out, you are probably more stupid than you are naive."

He adds: "You have to have depth of defenses. You have to monitor and segment your network traffic, and perform all of the other security controls we talk about all of the time."

Pete Lindstrom, research director at Spire Security, agrees. "These recent attacks mean mostly nothing to the typical enterprise," he says. "If you are a SecurID customer, you should be in touch with RSA Security to see what the extent of your risk may be. But I'm not convinced that a strong link has been established between the contractor attacks and the RSA breach. There is a lot of jumping to conclusions going on here."

That may be so, however the lack of transparency from RSA Security hasn't helped to stem any concern. CSOonline reached a number of RSA SecurID customers this week, but they couldn't discuss what exactly RSA has revealed to them about the nature of the breach because of signed non-disclosure agreements.

While the breaches don't change how most enterprises should defend themselves, it does send a number of messages to the marketplace -- and act as a warning to those operating within the critical infrastructures, says Vik Phatak, CTO at NSS Labs. "Don't trust your security vendor. That is the over-riding message. When their financial interests differ from yours -- don't trust them," he says. "By not being more transparent with what actually was stolen, they are dictating to their customers what their acceptable level of risk is."

"If you are a CIO, you have to assume that the product is flawed or compromised, and you have to look at finding a plan B for authentication," Phatak says.

Some industries may have less time than others to develop that plan, he says. "Now that the attackers have shown their hand, and that they are attacking companies associated with the critical infrastructure, you have to assume that they are going to move through their list of targets as quickly as possible. They know that they have a limited amount of time before companies protect themselves from this," he says. "That creates a lot of urgency for everyone in those industries. The clock is ticking for them."

For everyone else, not much has changed.

George V. Hulme writes about security, technology, and business from his home in Minneapolis, Minnesota. You can also find him on Twitter as @georgevhulme.

Copyright © 2011 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline