The cyber theft at RSA, the security solutions division of EMC, is shining a bright light on IT security. On 17 March, the company announced that information had been stolen relating to SecurID - a two-factor authentication product that manages IT access for 40 million people at over 30 000 companies.
RSA referred to the nature of the theft as an APT or advanced persistent threat - a category of cyber theft that is sophisticated, organised, long-term, determined, multi-faceted and at the top of the cyber crime food-chain. Another characteristic of an APT is its specific purpose: stealing corporate secrets.
Ironically, a 2010 report by Forrester Consulting for RSA and Microsoft suggested that many organisations concentrate on protecting 'custodial data' - the sort of mass customer information typically held by utilities, retailers, banks, government agencies, insurers and medical aids - but do not adequately safeguard their secrets. Regulations require specific protection of custodial data, but none exist for trade secrets - how they are protected is up to the organisation.
Beware the bogeyman
Opinions vary about the whole issue of APTs. Some people see them as a hyped bogeyman that is paraded by IT security vendors to motivate sales by promoting fear, uncertainty and doubt. That's probably true. I certainly position biometrics as a means to reinforce IT authentication, pointing out that the abuse of conventional credentials lies at the heart of most IT-based crime, including APTs. If users can't be identified - and passwords, PINs and cards can never do that - then the company loses control over who can access its systems and the information they contain.
But debates around the realities of APTs risk diverting attention from the central issue: the cyber theft of secrets is potentially far more damaging than the loss of custodial data. It really doesn't matter what such cyber crime is called.
The frequently used denial that APTs are primarily a threat made monstrous by security vendors does nothing to alter the fact that RSA has suffered a severe commercial setback.
The damage caused by the loss of custodial data could well be irrelevant compared to the consequences of stolen secrets. It can ruin a business if cyber villains steal information on deal negotiations, financials, research, forecasts, strategies, bid-prices for contracts, legal proceedings, designs, source code, formulae, product specifications and manufacturing processes.
And APTs typically target this 'knowledge-base' - the body of information that underpins a company's ability to produce products and services that compete successfully in their markets. It is information that generates revenue, increases margins and maintains competitive advantage.
Very bad, indeed...
Apart from the reputational damage caused by the APT at RSA, all credibility in one of its security products might be lost.
It can ruin a business if cyber villains steal information.
Mark Eardley is channel manager at SuperVision Biometric Systems.
If that happens, long-term revenue, profit and market share will fall substantially. Investments in the product's development, sales, marketing and support will no longer produce expected returns.
And what are the consequences for RSA if its customers' IT systems are breached as a result of the APT? The prospect of legal action by some heavyweight clients is not a cheery thought.
RSA is adamant it's extremely unlikely the stolen secrets will enable cyber villains to access clients' systems. But RSA also says its APT was “an extremely sophisticated cyber attack”. Could such "uber villains apply their sophistication and use their SecurID loot to mount lots more APTs?
After all, APTs employ a variety of techniques to break into IT systems, and as the term implies, these are persistent attacks.
Of course, this is all speculation and may well fall into the category of fear-mongering. But the cyber theft is causing commercial damage right now: RSA's bottom line is already being threatened.
Firstly, new deals or expansions of existing deals for SecurID are unlikely to be closed as soon as expected.
Secondly, at the end of March, Computer Associates (CA) announced it will swap SecurID tokens with its own IT authentication product - for free - and throw in a three-year enterprise licence. Talk about stepping into the breach. According to CA, hardware tokens are a security mechanism whose time has expired.
No doubt this is a noble move by CA to maintain the integrity of IT security within thousands of 'vulnerable' organisations. The fact that CA might supplant RSA - or perhaps more significantly, its parent, EMC - as a preferred IT supplier in some of these organisations is probably just a coincidence.
And there are other direct costs already incurred by this APT. In its initial Web site announcement, RSA said it had taken a variety of aggressive measures against the threat and was investigating it extensively. Fighting big fires costs big money. And at the moment, nobody knows just how big a fire it is fighting.
As part of this APT-induced fire-fighting in the last two weeks of March, RSA implemented a “massive outreach programme” that involved supplying over 60 000 customers with security info and advice; making 15 000 customer phone calls; conducting conference calls with another 5 000 of them and holding hundreds of face-to-face meetings. That's big bucks in 'outreach' alone.
So what is driving the growth of APTs and the damage they cause? Apparently, the falling value of custodial data - such as payment card details - has contributed to a shift towards the cyber theft of secrets. That view was expressed last year by Verizon in relation to its annual report on corporate data breaches. The market for stolen card data is said to be saturated, and the most able and best-resourced cyber villains are targeting secrets because they are a far more lucrative commodity. It would seem credible that this would fuel the rise of the APT.
It has also been suggested that their rise is fuelled by economic pressures: bad times breed bad crimes. When times are hard and competition fiercest, there are greater 'motivations' to steal, for example, someone else's technology rather than paying to develop it.
But every economic cloud has a silver lining, and the success of some companies isn't threatened by all this new-fangled hacking stuff. I read the other day that SA's sales are rising for companies supplying 007-style surveillance and counter-surveillance hardware. It appears cyber villains are not the only ones who are keen to find out what's going on behind closed corporate doors.
Share