The RSA security breach - 12 months down the technology turnpike.

Author:Kemshall, Andy
Position:Geographic overview

It's been 12 months since the security world woke to the horror that RSA Security's systems had been compromised and - as the company has reluctantly confirmed--its many tens of millions of SecurlD hardware tokens would have to be re-issued to clients. Andy Kemshall, CTO ofSecurEnvoy, reviews the IT security fiasco and what could have been done to prevent the fallout ...

The sophisticated multi-pronged attack that struck RSA Security last March has resulted in the high profile IT security vendor overhauling the manufacturing and distribution of its SecurlD tokens.

For readers who may have overlooked the saga, the attack compromised RSA Security's network of about 40 million tokens and involved the use of stolen SecurlD information to launch an attack on a key RSA Security customer, Lockheed Martin, the US defence contractor in the early spring of last year.

Whilst RSA officials have sought to minimise the fallout from the security faux pas - pointing to the fact that it has staged a free re-issue of SecurlD tokens to all its many customers - critics point out that it took the security vendor a week before it started talking to the press, and by implication, its customers about the problem.

It then took RSA until June to reveal the technology that had been compromised by the attack, after which is started the lengthy process of re-issuing tokens to its clients.

That process - though ostensibly free - has actually cost clients using the hardware tokens many millions of dollars, pounds and euros in the staff costs of handling the re-issue, as well as significant other on-costs. As any CFO will confirm, whilst there are direct and indirect costs in any business activity, both categories involve the expenditure of money.

So there we have it - 40 million affected, a late apology and the hidden costs of a fiasco that almost certainly will have cost RSA Security a sizeable number of its customers, some of whom have defected to rival suppliers, and some of whom have made the leap to tokenless and other advanced forms of authentication.

And this revenue loss is before we even begin to talk about the fact that RSA Security has had to spend time and resources explaining what actually happened to its corporate clients - as well as developing new software to harden the company against further attacks and a reported seven-fold increase in the production of its tokens to cater for the replacement programme.

Art Coviello, the firm's executive chairman, has gone on record...

To continue reading