Monday, April 4, 2011

What the RSA and NASDAQ Directors Desk Attacks Have In Common

When I first wrote about the NASDAQ Directors Desk attack on Feb 6 and Feb 8, I pointed out the core problem with an electronic boardroom application:
Your company’s critical data along with identifying information for your key executives joins hundreds of other companies’ critical data in a private “Cloud” that is no better secured than your own home network. In fact, you’re now worse off than before because your company is part of a larger, more target rich environment that gives an adversary the efficiency of scale. Instead of just one company’s “crown jewels”, he can have access to hundreds without increasing his risk. 
There are a growing number of "electronic boardroom" service providers besides Directors Desk. A 2008 article at the National Association of Corporate Directors mentions Boardbooks by Diligent, Directors Desk by NASDAQ, BoardLink by Thompson, BoardVantage, Leaders4 Board Information Management by 80-20, as well as smaller players like BoardWorks, BoardEffect, IntraLinks, Info-Street, and Endexxhas.

There are always pros and cons to making the details of an attack public. The NASDAQ Directors Desk attack has been in the news since early February and has just had a resurgence of interest with the announcement that the NSA has joined the FBI in their investigation. Personally, I had never known about the existence of an electronic boardroom prior to writing about this attack. Now that I do, I've been advising client companies to either not use them or to drastically reduce the amount of exploitable data that they contain before another attack takes place.

After the RSA attack was announced on March 17th, and with EMC's (RSA's parent company) poor job of providing information about it publicly (not to mention their disgraceful job of not sharing details with their own customer base privately), I wondered how many electronic boardroom services use RSA technology as part of their security. After a little bit of searching, I found four:

BoardBooks by Diligent
BoardLink by Thompson
BoardWorks
IntraLinks

I highly recommend that above companies either contact EMC and demand answers regarding the extent of the RSA breach so that they can determine their own exposure or drop EMC as a security provider altogether. EMC's conduct in disclosing details about their attack has been pathetic. Their SEC filing was word-for-word identical to their press release and the latest blog post "Anatomy of an Attack", written by a marketing executive and not an engineer (which is telling in and of itself), only made matters worse by indulging in folksy descriptors and mixed metaphors as a substitute for providing hard facts on the state of the breach and offering specific guidance to its customers. I wouldn't be surprised if a class action lawsuit was filed against EMC's Board of Directors by their corporate customers for negligence. EMC, like many InfoSec companies, are charging small fortunes for products and services while assuming no responsibility for keeping their customers' data safe. A backlash is sure to follow. 

No comments:

Post a Comment