RSA Breach: Customer's Perspective

Tenable CSO Ranum Says Incident is a 'Teaching Moment'

Marcus Ranum isn't just a well-regarded information security expert. He's also a customer of the RSA SecurID product, and he's got some strong feelings about the RSA breach and how the industry has responded to it.

"I'm torn," says Ranum, CSO of Tenable Network Security, explaining why he chose to speak out about the impact of the RSA breach on his company and on the industry. "On one hand, it's a media circus - and I'm one of the clowns," he says. "It's showing once again that breaches get maybe an unwarranted level of attention, but it's also showing that [RSA's response] is a really effective and mature responsible way to handle a breach."

The breach impact on Tenable is negligible, he says. "We may have to upgrade some software." But his company is using the incident as a security lesson for employees. "We're using this as a teaching moment, as they say, to remind people of the importance of social engineering and to be ready to avoid that kind of thing."

The industry impact is more significant. "This is a decent wakeup call," Ranum says. "It shows that malware is not something that you can just blow off. These spear phishing attacks and these types of deep penetration are a serious problem."

In an exclusive interview about the RSA breach, Ranum discusses:

  • What RSA has told its customers;
  • The significance of the breach on the industry;
  • How the marketplace has responded to the breach.

Ranum is CSO of Tenable Network Security. Since the late 1980s, he has designed a number of groundbreaking security products including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall and NFR's Network Flight Recorder intrusion detection system. He has been involved in every level of operations of a security product business, from developer, to founder and CEO of NFR. Ranum has served as a consultant to many FORTUNE 500 firms and national governments, as well as serving as a guest lecturer and instructor at numerous high-tech conferences. In 2001, he was awarded the TISC "Clue" award for service to the security community, and also holds the ISSA lifetime achievement award. In 2005 he was awarded Security Professional of the Year by Techno Security Conference.

TOM FIELD: Marcus, you are a customer of RSA SecurID. To what extent do you use the product?

MARCUS RANUM: Well, about 40% of our workforce is distributed, and we have VPN and since we've got researchers who are working on security vulnerabilities, it's pretty important to us to keep that stuff locked down tight. We use the SecurID key fobs as the login process for our VPN.

Message from RSA

FIELD: What have you been told so far about the breach from RSA?

RANUM: Well, our IT director got a very carefully-worded email from the folks at RSA, which is the one that I guess has been going around to all of their customers. I don't know if it is appropriate to share it,, but it basically makes a number of recommendations and says that there was an escape of some information. Then it makes a series of very carefully-crafted recommendations, which I think are pretty good in their design to make not exactly obvious what information was leaked and what the significance of it was.

What We Know About the Breach

FIELD: So separate yourself from RSA customer to being an information security expert. What do you surmise about the breach based upon what you've learned?

RANUM: Well, it sounds like some piece of the customer database or information about the customers or the keying information for the key fobs got out. The recommendations in the email basically -- they appear to be oriented towards encouraging the customers to avoid potential social engineering attacks. So what I'm hypothesizing is going on here is maybe the keying information for the key fobs got out. So, if somebody had the algorithm that is used in the key fobs, they might be able to figure out the correct number that was going to show up for any given key fob at a particular time. What the attacker would not have is the mapping between the key fob and the particular individuals, so they might know that Tenable has a particular set of key fobs, but they don't know which key fob is Marcus Ranum's key fob because that was issued to me by our IT director. That mapping would be maintained at Tenable because of the user ID to key fob mapping is the customer's problem, not RSA's. So that is what I think is happening, and I think that RSA is doing a very good job of managing this problem frankly.

FIELD: Give us some perspective here from the impact on a customer. What is the impact on Tenable Network Security?

RANUM: It's not that significant. I think we're going to have to, as they recommend, upgrade some software. RSA may decide further actions to take. I don't know if they'll send people new key fobs, or quite how that is going to play itself out. That is actually off my radar screen; that's our IT guy's problem. But we may have some minor technology refresh. But also, I did talk with our IT guys, and we're using this as a teaching moment, as they say, to remind people about the importance of social engineering and to be ready to avoid that kind of thing.

Impact on Industry

FIELD: Now talk about the impact on the industry, because it's a big deal when RSA comes out and says essentially, "Houston, we've got a problem".

RANUM: Yeah the industry impact is pretty big. I'm torn, and that is part of why I agreed to do this interview. On one hand, it's a media circus, and I'm one of the clowns, but it's always difficult to complain about a media circus when you are apart of it. So, it's showing once again that breaches get maybe an unwarranted level of attention, but it's also showing that this is a really effective and mature and responsible way to handle a breach. So I think that is part of why I agreed to do this interview.

I think what they are doing is pretty good. So it is sort of showing the industry that we don't need to run and hop up and down and scream "This is the end, this is the end!" There actually has been a small amount of that. I think we pretty quickly saw the inevitable "Oh my gosh, it is some state-sponsored attack" kind of thing going around. I think that is probably nonsense to be completely honest with you. I don't think this is how a government agency would have handled this kind of attack. So I think the impact on the industry may actually be positive. It is giving RSA a chance to show that they can handle this thing in a mature manner, and it's giving a chance to have a little teaching moment about the importance of social engineering and to show that you know everybody does make mistakes. I think it is also important because it shows that this idea that malware is not exactly something that you can just blow off and spear phishing attacks, and these kinds of deep penetrations are serious problem.

FIELD: You used the term, "media circus," Marcus, and I don't disagree with you. But it's not just been the media. I've noticed as well that there have been a number of vendors that have been quick to jump on this, and that they've got suddenly the solution to a problem that hasn't even entirely been articulated. So, my question is what are your thoughts in what you've observed in the industry from the media globally since this news broke late last week?

RANUM: Well that is something I will say, in my official capacity as a technology recommender and selector, it always disgusts me when I see somebody basically bandwagon an issue. I mean, a little shot in the foot is okay. If one of your competitors has a problem, I think it is okay to say "ha, ha." But do that internally. I mean, don't just use that as a marketing opportunity. That makes you just come across as cheap and a little bit nasty. So, you know, yes, there have been some companies who are out there going, "Well, this problem will never happen to us." Yeah right. I really think this kind of problem happens to everybody, and I'm not saying we must completely support RSA. They've got egg on their face. But they are doing a darn good job of standing up in front of the lights and wiping the egg off in a fairly methodical and mature manner. So, I think the industry's reaction has been kind of not as nice as I would have wanted it to be, but I think actually RSA comes off looking fairly good in that situation.

Next Steps

FIELD: So, RSA is reaching out to customer now, and sort of the initial shock waves of this news are over. What needs to happen now within the industry?

RANUM: I think actually the email that they sent out, the recommendations that they make -- people need to look very closely at that and think about it. Ultimately, what they are saying is some pretty bread and butter stuff that social engineering is a serious problem and you need to think about that, and then you've also got the problem that many end points are compromised. Obviously, it sounds like that is possibly the issue that got RSA into this mess in the first place. So, there is this problem of transit of trust where if your desktops or laptops are compromised by a root kit, you can use great authentication and encryption, but your end point is still a problem. It is a decent wake up call. This is all just good bread and butter stuff. You know, avoid suspicious emails, remind people not to provide user name or credentials. Very straight forward stuff, very well presented, very clearly done. So I think people really need to take that advice to heart, whether they are RSA customers or not, frankly.

FIELD: Marcus, if you could offer any advice to RSA to get through this challenge, what would it be?

RANUM: Obviously, the best advice would have been to go back in time and not have this problem, but since that's not really an option, I think the way that they've handled it has been excellent. Again, I can't speak for our IT director here, but I don't think this affects our intent to continue to use their products and to remain their customers. So, my guess is this is going to all blow over pretty quickly.





Around the Network