RSA Chief: Last Year's Breach Has Silver Lining

alphadogg writes "Last year's industry-shaking RSA Security breach has resulted in customers' CEOs and CIOs engaging much more closely with the vendor to improve their organizations' security, according to the head of RSA. Discussing the details of the attack that compromised its SecurID tokens has made RSA sought after by companies that want to prevent something similar from happening to them, Executive Chairman Art Coviello said in an interview with Network World. 'If there's a silver lining to the cloud that was over us from April through over the summer it is the fact that we've been engaged with customers at a strategic level as never before,' Coviello says, 'and they want to know in detail what happened to us, how we responded, what tools we used, what was effective and what was not.'"

Re:Silver Lininig for their Bottom Line

Tokens were replaced for free...but don't let the facts get in the way of a good story!

And did they answer?

[marcosdumay]

Everybody knows that their customers want to know such things because they asked in a quite vocal maner just after the troubles, and werre simply dismissed by RSA. So, now RSA issues a PR stating that their customers want to know if they are secure, and not teling if they gave any answer. Quite funny what some spin can create.

Anyway, why should anybody buy a product from RSA anymore?

Re:And did they answer?

[LifesABeach]

Is it spin? Or smoke?

its amazing what publicity

[v1]

you can get out of a bit of damage control

Really though, as a customer, you don't look favorably at your security vendor waiting until after a serious breach to refine their processes. You pay them the big dollars because they're supposed to already know what they're doing and have good practice already in place the day you shake hands.

This is just their P.R. people clawing for some way to put a little positive spin on their blunder.

Re:its amazing what publicity

[vlm]

You pay them the big dollars because they're supposed to already know what they're doing and have good practice already in place the day you shake hands.

Actually you pay them because its faster / better / cheaper than doing it yourself, not because they are perfect. If 50% of the population is below the median, they only have to achieve a 50% median solution to capture about 50% of the market. The actual percentages are probably much higher, regardless they certainly don't have to be 100% perfect to make money.

The other reason you pay money is to have someone else to blame for the inevitable headaches. As long as your boss yells at them for an outsourced solution instead of you for an insourced solution, that was money well spent.

Slight bit different. The fire dept burned down.

[khasim]

And since the fire department burned to the ground, more home owners are contacting the fire department to help with their home fire defense.

What the? Does that make any sense to anyone?

... Coviello says, 'and they want to know in detail what happened to us, how we responded, what tools we used,

Ah, that makes sense now.

Not "dude, u r teh awesome!!! How can I get some of that awesome for myself?"

More like "dude, where were your fire extinguishers? Smoke detectors? What model were they? Did they give ANY alarm? HOW THE HELL DID YOU LET YOUR FIRE DEPARTMENT BURN DOWN? And is there any way to tell if I am in danger?"

FTFY

[CanHasDIY]

'If there's a silver lining to the cloud that was over us from April through over the summer it is the fact that we've been getting phone-raped by customers... as never before,' Coviello says, 'and they want to know in detail what the fuck happened, how we fucked up so badly, how the fuck we're going to fix it, and why the fuck they should still be our 'customers'."

The really awesome part...

[Chibi+Merrow]

Is that the worthless corporate scumbags who own the company I work for (and force us to use RSA keyfobs) thought very hard about what to do about this spectacular failure on RSA's part, and came up with this solution: Get new keyfobs from RSA!

RSA's only job was to be trustworthy. None of their technology is a trade secret, and once they produce the fobs there's no need to interact with RSA whatsoever. There IS NO technology to steal on their networks.

And yet they kept the keys. The only purpose served by keeping those keys is allowing someone to decrypt their customers encrypted traffic. The keys are completely unnecessary for any other reason once the fobs have been made. If they're doing their job right, it wouldn't matter if terrorists came in and held a gun to the CEO's head, nevermind if their network was secure. The key fobs do not depend on them in any way to function once they're produced.

Their only job was to be trustworthy, and they have failed spectacularly.

So I'm expecting raises and bonuses all around for the execs, while a couple worker drones (who probably questioned keeping the keys in the first place) get axed. SNAFU.

Re:Slight bit different. The fire dept burned down

[LifesABeach]

And in a unrelated news event, The farmer has started communicating to neighboring farm's about closing the barn doors after the live stock in the barn had left.

I have to call it ...

[DaMattster]

This is a load of crap. If anything, I think the entire RSA incident should serve as an impetus to look for open source, community supported solutions. Security through obscurity works only in government, CIA stuff.

Re:Silver Lininig for their Bottom Line

[msauve]

Paypal doesn't use RSA tokens. They use ones from Symantec (which they bought from Verisign).