Unfortunately, two security companies I respect were hacked in the past few weeks. This has resulted in significant negative publicity and may result in lost trust and lost sales. These companies are security companies and yet their security was breached. For me, this raises many questions. This blog is about the questions I would ask executives of both companies to learn from what happened to them.
Background on what happened at RSA
On Thursday, March 17 2011, RSA published the following open letter on its website, and followed up with a SecureCare Note.
RSA itself has been very tight lipped about what actually happened, what was stolen, and what the risk is except to call the attack an advanced persistent threat. Its not a surprise to learn that the attackers were sophisticated and tried hard over time to achieve their objective. There has been a lot of speculation in the blogosphere on what happened as well as critique of how little RSA has revealed.
From the open letter, we learn that over a period of time RSA was attacked and that the attackers were able to successfully extract valuable information about RSA SecurID out of RSA. This information is valuable enough for RSA to warn all of its customers that the security of its flagship product may be reduced and, according to GCN, to temporarily stop shipping its tokens.
Background on what happened with Comodo
On March 22, 2011, the Tor Project, with help from Security Innovation's Ian Gallagher, published a blog stating their belief that a CA had been compromised. Comodo followed up with this post on March 23 confirming a March 15 compromise.
A quick summary of what Comodo confirmed is that an attacker from Iran comprised a user account on one of their RAs and used it to issue himself certificates for major web properties.
A person claiming to be the Comodo attacker, posted a long statement here where he outlined his motivation and methods. He says that he probed many leading SSL vendors servers and found some vulnerabilities but not enough for his attack.
He then attacked Comodo's InstantSSL.it service, gained control of it, and found that it was the TrustDLL.dll in C# that does the actual CSR signing. in his words: "I decompiled the DLL and I found username/password of their GeoTrust and Comodo reseller account. GeoTrust reseller URL was not working, it was in ADTP.cs. Then I found out their Comodo account works and Comodo URL is active. I logged into Comodo account and I saw I have right of signing using APIs."
A few questions for RSA, Comodo, and all of us
RSA and Comodo are security companies. RSA has one of the best brands and reputations in the industry. Yet, they were successfully attacked in a way that affects them and their customers. What happened? Here are some of the questions, I would ask their executives:
Who was in charge of your security and were they and their team empowered?
It is far too easy to scapegoat the head of IT Security at both companies. They are a natural target and should obviously be questioned. The more interesting area of exploration is with the executive team themselves. Did they listen when security concerns were brought to them? Did they encourage a culture that welcomed this and responded to it with action? Were individual contributors able to get their security concerns up to the executive suite or were they squashed by middle management?
What did you do to make the security of your customers' critical assets part of every employees' mission?
Was every relevant employee given ongoing training on secure coding best practices? Was the importance of this aspect of the companies mission to safeguard its customers trust regularly highlighted by senior management? Were individual employees rewarded for sticking their necks out about a potential security risk?
Did Senior Management make tough calls to prioritize long-term security over short-term gain?
We've all been there. You are looking at your product, service, or IT roadmap and you have 20 things you want to do over the next quarter and you have to pick 5. A few of those features relate to security. They aren't going to give customers any shiny new benefits, no short-term competitive wins, just the boring slogging kind of features that make a product or service rock-solid. Which did they pick? Did senior management take the lead in pushing for doing the right thing, playing the long-term game, or not?
Did you get a second opinion...regularly?
There is no substitute for doing great work in the first place. But on something as important as security, you need a second opinion...repeatedly. How often was a third party brought in for black box and white box penetration testing? Once? Once in a while? Or as a regular part of a disciplined process. Was budget set aside for this or did motivated middle managers scrimp and push for it?
Conclusion
There is no doubt that we face threats from unfriendly governments, criminal organizations, and disciplined individuals. Our attackers are advanced and they are persistent. Our defenses must be advanced. Even if we think they are, we should get a second opinion. But, the key to all of our businesses, is our people. The most important thing is that our attitude, effort, and culture be persistent ... persistently, deliberately focused at securing the trusted assets given to us to safeguard.