The RSA Breach, their initial reaction, and their follow-up communication regarding the Lockheed Martin attack (which they are admitting is related to the initial RSA breach) makes us question their priorities.

1. RSA: More concerned with their revenue
than your security?
The RSA Breach, their initial reaction, and their follow-up communication regarding the Lockheed
Martin attack (which they are admitting is related to the initial RSA breach) makes us question their
priorities.
Revenue and brand come first. Customer security is second.
Of course both of these are inter-related: you surely can't build a robust security brand given security
incidents like this and RSA's brand is forever tarnished with this breach.
Nonetheless, in the short term RSA's reaction to this incident clearly shows that, while the initial open
letter wasn't downright un-factual, it did (apparently) downplay the risk. This and other elements
associated with this incident question their priorities. Let's have a look at the the first RSA Open
Letter #1 published after the initial breach on RSA and their follow-up RSA Open Letter #2, published
after the resulting Lockheed Martin breach. Both letters are from Art Coviello, Executive Chairman of
RSA.
Is RSA doing everything it can to protect customers?
RSA Open Letter #1: "We took a variety of aggressive measures against the threat to protect our
business and our customers, including further hardening of our IT infrastructure."
Really? So RSA provided a critical security component for protecting PII for millions of people as well
as the protection of government and defense secrets and they weren't doing everything they could
before this incident!?!?! Profit margins for the RSA unit of EMC according to Bloomberg News and
May regulatory filings apparently slipped from 67.6% to 54.1% due to costs associated with the
breach. Frankly, even 50+% margins aren't bad. Could it really be that the RSA unit was kicking out
annual profits on the order of hundreds of millions of dollars and they can't find the budget to do
"further hardening" of their IT infrastructures until after this incident? If customers really come
first, I think they'd be investing some profits to do everything they can, before an incident like this.
"Advanced Persistent Threat" or oops an employee violated security best
practices.
WEB PHONE EMAIL
WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM

2. RSA Open Letter #1: "Our investigation has led us to believe that the attack is in the category of an
Advanced Persistent Threat (APT)."
Downplaying their culpability sounds like marketing to me. Was the attack sophisticated? Perhaps.
However, most attacks involve a chain of events. Every link in the chain must succeed for an attacker
to gain access. This is why we preach that organizations take a holistic view of security and address
the entire risk profile; break any link (even a minor seemingly benign non-technical vulnerability) in
the chain and the data is insecure. In this case, the entire attack started when an RSA employee in a
core security division violated elementary security principles (and likely RSA's own security policy) by
downloading and running an attachment. Even many average non-techy citizens would have the
wherewithal to avoid this trick. Perhaps RSA should have been investing some profits into security
awareness training.
Let's downplay the impact of the incident.
RSA Open Letter #1: While at this time we are confident that the information extracted does
not enable a successful direct attack on any of our RSA SecurID customers, this information
could potentially be used to reduce the effectiveness of a current two-factor authentication
implementation as part of a broader attack.
In the first open letter, he qualified the above bolded statement by saying the breach in their systems
did not enable a direct attack. Whatever that means, I guess it does not preclude attacks in general,
which is clarified in his next open letter, after the successful attack against Lockheed Martin:
RSA Open Letter #2: on Thursday, June 2, 2011, we were able to confirm that information taken
from RSA in March had been used as an element of an attempted broader attack on
Lockheed Martin.
If customers come first, I think a more straightforward profile of the true risk would be appropriate
up front. My experience is that RSA SecurID customers had become complacent of the risk to their
systems due to the breach because of what they'd been hearing from RSA. I don't think RSA did their
customers any favors by fostering this complacency with a sugar-coated view of the impact of the
breach.
We'll do everything we can for our customers. (except invest in new tokens)
RSA Open Letter #1: Our first priority is to ensure the security of our customers and their trust. We
are committed to applying all necessary resources to give our SecurID customers the
tools, processes and support they require to strengthen the security of their IT systems
in the face of this incident.
WEB PHONE EMAIL
WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM

3. Apparently "applying all the necessary resources" did not mean replacing the customer tokens, which
would be expensive but effective. Based on that lack of resource commitment RSA seemed to have
put its customer data at risk - along with state secrets and the PII of millions of individuals. Of
course, as the customers' knowledge of the risk associated with the RSA breach grew - because of
the Lockheed Martin breach as opposed to RSA guidance - RSA has expanded the definition of "all
necessary resources."
RSA Open Letter #2: As a result, we are expanding our security remediation program to
reinforce customers' trust in RSA SecurID tokens and in their overall security posture. This program
will continue to include the best practices we first detailed to customers in March, and will further
expand two offers we feel will help assure our customers' confidence:
 An offer to replace SecurID tokens for customers with concentrated user bases typically focused on
protecting intellectual property and corporate networks.
 An offer to implement risk-based authentication strategies for consumer-focused customers with a
large, dispersed user base, typically focused on protecting web-based financial transactions.
Let’s give RSA the benefit of the doubt and presume that A) replacing the SecureID tokens will be a
no cost solution for the customers and B) that implementing "risk-based authentication strategies"
will not be a revenue generator. Assuming this is the case, then its the right approach, but one that
should have been undertaken at the outset.
Revenue vs. Customers.
According to Art Coviello's words "Our customers remain our first priority" however, according to
RSA's actions it’s not that clear cut.
WEB PHONE EMAIL
WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM