Attacks on the foundation of our industry

In the two weeks since my last column, the security industry has been rocked by several extremely serious attacks against some of our fundamental pillars of trust: two-factor authentication (RSA SecurID) and SSL certificates (Comodo). 

As I started writing this column more bad news streamed in: Comodo announced that another two registration authority were compromised, the European parliament and commission are under sustained attack and the US CERT has issued an early warning "derived from analysis of the RSA attack". If you feel inclined to crawl under a table in the fetal position, no one can blame you: this all sounds like the root of trust in our industry has been uprooted. Let's separate the hype from the less dramatic, but still quite harsh, reality.

More on security: 20 hot IT security issues 

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

In the two weeks since my last column, the security industry has been rocked by several extremely serious attacks against some of our fundamental pillars of trust: two-factor authentication (RSA SecurID) and SSL certificates (Comodo). 

As I started writing this column more bad news streamed in: Comodo announced that another two registration authority were compromised, the European parliament and commission are under sustained attack and the US CERT has issued an early warning "derived from analysis of the RSA attack". If you feel inclined to crawl under a table in the fetal position, no one can blame you: this all sounds like the root of trust in our industry has been uprooted. Let's separate the hype from the less dramatic, but still quite harsh, reality.

More on security: 20 hot IT security issues 

Neither the attack against RSA, nor against Comodo, have resulted in additional attacks or compromises. A careful examination of the SecurID architecture and the attack leads me to believe that while serious, this attack does not undermine the hardware-based two-factor authentication system. After all, it's two-factor, so it takes more than a compromised token to break in. Furthermore, SecurID is a layered and de-centralized security system with some elements in the exclusive control of customers and not RSA. Two-factor token-based authentication is still solid, in the context of a good deployment and good operational processes. Similarly with Comodo, a stolen/spoofed certificate is only one part of what is needed to mount a successful attack - most modern browsers have additional security measures to detect a compromised SSL certificate. So the sky is not falling, not quite.

There is a dark and ominous storm brewing though. No matter how you look at these attacks, they add up to a pattern: the stakes have been raised and we've entered a whole new level of threat. What is obviously missing is the opportunistic and money-grabbing motivation that has been so prevalent in security breaches over the last decade. There's nothing opportunistic about these attacks, they are carefully targeted and appear to be very well planned. Worse, they are means to an end, part of a much longer-term play whose nature and goals are not immediately obvious. Someone out there is executing a much longer term, higher stakes and complicated plan and they're doing so while ignoring ample opportunities to make a quick buck. That should worry us all greatly. I personally hate the term Advanced Persistent Threat (APT) because it is so vague, but at least it expresses the obvious conclusion that this is different from what came before.

Art Coviello's (RSA's executive chairman) open letter to customers hints at more information to come, as the investigation develops: "As appropriate, we will share our experiences from these attacks with our customers, partners and the rest of the security vendor ecosystem". It is not only appropriate, it is critical that we all get an opportunity to learn from these attacks and RSA's response is commendable for its speed and breadth. The level of detail in the initial analysis is lacking, so let's hold RSA to its promise. Our industry is under siege - this is a time to band together and share our knowledge and experience for the common security.