The following text is copyright 2011 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.

 

RSA: maximizing customer harm

 

By Scott Bradner

The news of the major breach at RSA broke about two months ago.  (http://www.networkworld.com/news/2011/031811-rsa-warns-securid-customers-after.html )At the time I complained that the company was not being all that up front in telling its customers what the breach might mean to them. (see Ensuring mistrust http://www.networkworld.com/columnists/2011/032811bradner.html)  Now we hear that the break in at the giant defense contractor Lockheed Martin may be an example of the fallout of the RSA breach.  (see RSA tokens may be behind major network security problems at Lockheed Martin - http://www.networkworld.com/news/2011/052611-lockheed-martin-outage.html?hpg1=bn ) But, you would still be hard pressed to find any useful information on the RSA website (http://www.rsa.com).  The only thing on the front page that seems to be related is a "new security brief" on " Mobilizing Intelligent Security Operations for Advanced Persistent Threats" (http://www.rsa.com/go/press/RSATheSecurityDivisionofEMCNewsRelease_21611.html), which seems to be a bit of a 'try to make money from what we did wrong' document.

Something real did happen at RSA, judging from the report in the Wall Street Journal that RSA is providing tens of thousands of free replacement SecureID tokens to Lockheed.

If you look hard enough on the RSA website you can find the April Fools Day blog posting on the attack (Anatomy of an Attack http://blogs.rsa.com/rivner/anatomy-of-an-attack/).  But RSA does not make it easy to find any anything relevant.  This is hardly the way that I would want a major security vendor to act.  As I write this, the Bloomburg cable TV channel is speculating on the likelihood that the Lockheed breach was, indeed, a result of the RSA breach.  (http://www.bloomberg.com/news/2011-05-29/lockheed-offered-help-after-cyber-incident-u-s-government-says.html) Not good press for RSA, made far worse, in my opinion, by RSA's refusal to come clean. 

From press reports, RSA seems to be justifying their refusal to provide key information - like what was actually stolen - on the assumption that it would make things worse for their customers.  That seems like a totally bogus rationale - hey RSA, it looks like the bad guys that took the info know what they got - the main people in the dark are the people that spent the big bucks on your products, you are not telling them how deep the do-do is.  You are also not saying that you will change the design of your products to make this type of breach unimportant in the future.

 

What should you do if your company gets hacked in a way that will impact your customers?  A lot of companies just want the problem to go away and do not want to shine any light on the situation because it could show that the company does not know what it is doing in the area of security.  The 'nothing to see here, move along' approach is harder now that most states require customer notification in the case of breaches that involve specific types of information, but some companies still try to follow that path. 

 

A far better path to ensure long-term customer trust is to provide all the information that will not actually harm the customers as you can.   Put a obvious link on your home page that customers can use to find out your side of the story and leave the link there until the threat is gone - i.e., do not follow RSA's lead.

 

disclaimer: Harvard is more of a leader than a follower but has not expressed any opinion on the RSA path so the above advice is my own.