Earlier this week, RSA released a letter discussing the newest breaches involving the SecurID tokens. The letter from Executive Director Art Coviello stated that the Lockheed Martin breach didn't involve a new threat. I'm glad he said that because there are a lot of people out there who don't understand how interconnected breaches are.
The letter also included this:
We are expanding our security remediation program to reinforce customers' trust in RSA SecurID tokens and in their overall security posture. This program will continue to include the best practices we first detailed to customers in March, and will further expand two offers we feel will help assure our customers' confidence:
- An offer to replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks.
- An offer to implement risk-based authentication strategies for consumer-focused customers with a large, dispersed user base, typically focused on protecting web-based financial transactions.
It's a good step, but is it coming too late? A New York Times article, very aptly named, "RSA Faces Angry Users After Breach," stated:
[S]ecurity consultant, Alex Stamos, chief technology officer for iSEC Partners, said that many companies that use RSA tokens were irate about the hacking and RSA's response. He claimed that RSA misled customers about the potential problems after the initial hacking came to light. "Their whole excuse doesn't hold water," he said. By minimizing the problem for six to seven weeks, Mr. Stamos said that RSA made companies more vulnerable.
RSA will have a lot of work to do to rebuild the trust level of its customers, as a Wall Street Journal article pointed out:
However, customers remain concerned about the breach and whether the issues are truly resolved, with some holding off on new SecurID purchases as they examine other providers as well as evaluating the strength of their overall security.