April 4, 2011 - News from RSA executive chairman Art Coviello that the company's corporate security was breached, and its SecurID one-time-password product compromised, is a bit like hearing that the Pope has fathered a love child.

Unfortunately, RSA is offering little in the way of candor about the breach, instead proffering advice about hardening security systems, and protecting against attacks via social media or spear phishing. Nothing we haven't heard before, and obviously so difficult to achieve that the world's leading security vendor wasn't even able to lock out the beasts.

Despite the scanty details, the ramifications for banks, and their customers, are far-reaching; sources say that as many as 90 percent of U.S. banks use RSA tokens. For these, counting on two-factor authentication with an OTP just became a lot riskier. (Those who follow the evolution of threats knew OTP was already of little value as a standalone measure.)

Advice for bankers? If you haven't already, introduce your board to the phrase "advanced persistent threat." Talk about China, Google, the attacks on the Iranian nuclear plant and Nasdaq. Although it's been a security buzzword for awhile, expect APT to become part of the everyday vernacular in the same way other disasters taught us more than we ever wanted to know about deep- water drilling and the ins-and-outs of nuclear meltdown.

Next, prepare for the coming iteration of the Federal Financial Institutions Examination Council's guidance on security for online banking. The FFIEC's new advice is circulating everywhere in unofficial form, with release rumored to be held up by industry lobbying against it. When it comes out, the guidance will surely call for more frequent risk assessments. Add APT as a category in that evaluation.

What of RSA? EMC's security unit could follow the lead of Heartland Payment Systems' CEO Bob Carr, who after his company's breach two years ago became an evangelist for encryption in the payments system. The problem with this approach is that RSA and Coviello are already cloaked in the security mantle. At the company's annual conference, Coviello's taken the stage for the last 10 years to discuss the importance of security in the face of pernicious threats.

Coviello has been at the helm of RSA for since 1995, seen it through its own acquisitive spree and acquisition by EMC in 2006, and worked doggedly to re-invent the company beyond its namesake token. Worthy achievements, but it's hard to imagine the papacy surviving this type of scandal. As Coviello presciently noted in his RSA conference keynote speech in February 2011, "We are only as good as the last attack we have withstood."

This column originally appeared on Bank Technology News.


Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access