Andrew Buss, originally published on Freeform Comment
The recent news that RSA Security suffered a security attack and breach that resulted in the theft of sensitive and confidential Intellectual Property relating to SecurID should be a cause of concern for many.
The good thing is that RSA Security had agressive security measures in place that detected the attack and allowed it to take proactive steps to limit the scope of the attack and to quickly identify what had been accessed and stolen.
The downside is that the source code to the technology behind a good proportion of multi-factor authentication solutions is now most likely available for inspection to aid the creation of cracks or subversions. We can only hope that the information was limited in scope, and that RSA has been thorough in developing the code in a Secure Development Lifecycle approach that will limit the attack surface and potential vulnerabilities.
The event once again raises the issue of how to tackle security, and in particular the protection of the core information assets of a company. We’ve written on this is the past, particularly on the need to protect data across the company, and not just on devices such as laptops, tablets or smart phones. There is a prevailing mindset that because servers are located within a secure environment such as an access controlled data centre, the data on them is also secure and access can be controlled by security policy such as Access Control Lists.
The reality is that this only works for employees, and particularly those employees who follow policy. Protecting data on servers needs more than this, and encrypting the data is a proven method for doing this. If crackers do gain access to the bits and bytes, making sense of it is rather more difficult. Coming back to the RSA attack, it is somewhat ironic that a company that started out as the leader in encryption has itself fallen foul of having the stolen data potentially able to be exploited because it was unencrypted.