Trust Is For Suckers: Lessons From the RSA Breach

wiredmikey writes "Andrew Jaquith has written a great analysis of lessons learned from the recent RSA Cyber Attack, from a customer's perspective. According to Jaquith, in the security industry, 'trust' is a somewhat slippery concept, defined in terms ranging from the cryptographic to the contractual. Bob Blakley, a Gartner analyst and former chief scientist of Tivoli, once infamously wrote that 'Trust is for Suckers.' What he meant is that trust is an emotional thing, a fragile bond whose value transcends prime number multiplication, tokens, drug tests or signatures — and that it is foolish to rely too much on it. Jaquith observed three things about the RSA incident: (1) even the most trusted technologies fail; (2) the incident illustrates what 'risk management' is all about; and (3) customers should always come first."

History

[chill]

Of the people who I've talked to with RSA tokens, most have said they're now actively planning a migration off of RSA tokens.

It isn't that they were hacked. Shit happens, even to the best of them. It was the lack of information and lack of transparency by RSA (EMC) on the whole event. Trust has been lost.

I'm not talking about public statements or mea culpas. I'm talking about why they weren't 100% open and upfront with existing customers right away. It gives the impression that EMC's execs were hoping no one would get hacked and it would all fade away over time. That they could just ride this out and weren't going to have to fork over a boatload of cash to replace everyone's tokens, thus not taking a hit on their stock or bonuses.

They were wrong, and now the price they are going to pay is not only replacing everyone's tokens, but a loss of trust and hence future business.

Trust what?

[lazlo]

From my understanding, the RSA breach basically broke into the database that ties serial numbers to the internal "secret" that's used to generate OTP's. So go back to before the breach, and assume you're an RSA customer. To be their customer, you have to trust them. You can trust them to:

1. 1) securely wipe their copy of the database once they've delivered your tokens to you
2. 2) keep their database secure against attackers
3. 3) provide you with a copy of the database after you lose yours.

Note that options 1 and 3 are mutually exclusive. Now, it would be nice to be able to choose your level of risk tolerance yourself and decide on #1 vs #2 + #3, but there are a reasonable number of customers who actively dislike being forced to make choices. And there would be a whole lot of customers who would be really mad if, after losing their database, were told by RSA "Sorry, all of your tokens are now useless keyrings. No choice but to replace them all"

To me it's like the evolution of passwords. In the beginning, if you forgot your password, your admin could tell you what it was. Then passwords got hashed, and your admin couldn't tell you what it was, but could reset it for you, and security was enhanced. Then passwords were used as encryption keys, and now your admin couldn't tell you what it was or reset it. If you forgot it, your data was gone. Once again, a security enhancement, but now a greater danger of data loss through forgetfulness.