Whilst weekend newswires were citing Lockheed Martin, the US defence contractor, as laying the blame for its data breach at RSA Security’s door, it should instead have been looking at its own IT security review procedures.
The RSA Security breach occurred in mid-March, which has given its users more than two months to review their reliance on RSA Security’s technology on their ITsec systems. I’ve always preached the need for multiple layers of security – including the use of two-factor authentication – so the question here is: what has Lockheed Martin’s IT department been doing for the last ten weeks?
It’s interesting to note that my colleagues over at NSS Labs said back in March that the RSA Security attack was a strategic move to grab the virtual keys to RSA’s customers. More than anything, however, that entire affair should have triggered alarm bells ringing in any corporate IT security office, especially given RSA’s deafening silence at the time.
Let’s put it quite simply: If the company that supplies the locks to your office is reported to have had its master keys stolen, what do you do? You change your office locks to those from another supplier.
And this is exactly what any competent IT security manager should have started doing, as soon as the RSA Security breach was reported. “This is contingency planning 101 material”.
In fact, the RSA Security hack in mid-March should have triggered a review of an organisation’s entire authentication security and its reliance on products from a single vendor.
Multi-layered security also means using technology from multiple vendors that uses a different approach to defending the corporate digital realm.
If you start the planning and review process from the premise that your IT systems will eventually be breached, and then design your security defences on this basis, you end up with an intrinsically more secure system.
Modern IT security is all about building layers of defence on a modular basis, using today’s security tools – including multi-factor authentication with integrated redundancy and fail-safe systems. If one element is compromised, you switch in other elements, as laid down in your IT security contingency plans.
For Lockheed Martin’s IT security managers to blame an apparent successful incursion into their systems on a ten-week old widely-reported breach of one of their key ITsec suppliers is diverting publicity from its own security process failings.
Security companies shouldn’t store customer keys on their premises – all keys should be randomly generated within the customers own premises, which means the customer is in control of their own security and therefore you don’t need to trust any third party manufacturer.