Hacking up the facts

Security vendors need to spend more time providing accurate information on breaches rather than blame the media for over-hyping the threat.

The threat of online crime is both over-hyped and under-estimated. RSA executive chairman Art Coviello illustrated exactly why a couple of days ago – though probably not in the way he intended.

Coviello was briefing half a dozen IT journalists in Sydney in the wake of the massive RSA Conference on information security held in San Francisco last week.

The conversation was, as the phrase goes, frank and fearless. Coviello was unhappy with media coverage of last year's security breach where compromised information on RSA's SecurID login tokens was subsequently used to attack Lockheed Martin.

"No-one's covered the fact that there hasn't been a single breach that resulted in a loss, not a single one. OK? I'd like you to cover that now," said Coviello.

"I'd also like you to cover the fact that there was only one publicly-disclosed breach [where] it was even suggested that information stolen from us was used, and that attack was defeated."

Well, that's covered now. And Coviello reassured us that there were no breaches that weren't publicly disclosed because RSA stays very close to law enforcement and "other agencies" -- yes, he did the air quotes -- who'd tell them about any breaches and work with them to ensure the replacement of tokens if necessary.

Coviello was keen to stress that he wasn't attacking journalists. Information security is a complex topic. He doesn't envy us. He sees the need for accurate communication as a joint problem.

The journalists at the briefing suggested better access to executives rather than PR agencies, and more specific facts. Coviello seemed to agree, citing his conversation with former UK prime Minister Tony Blair about the risk of letting incorrect reports stand.

"By and large most journalists are responsible. They're trying to do the right thing. But in a vacuum, right, they'll just gravitate to what they can get," he said.

"When journalists quote bloggers as authoritative sources, or write stories that make it appear that bloggers are authoritative sources, or if they interview every Tom, Dick and start-up security company that wants to get their name in the paper and comment on something they know nothing about, they are not doing their readers much of a service. And quite frankly I believe there was far too much of that that went on."

When it comes to disclosing the facts about a security breach, RSA was actually ahead of the pack. They had to be. They needed to tell their customers, including Australian banks and other organisations, how to mitigate the risks associated with the potentially compromised SecurID tokens.

RSA's initial advice was to harden the back-end infrastructure supporting the RSA authentication manager and take steps to protect the additional information an attacker would need to use the compromised tokens. The stolen SecurID data wasn't enough to enable an attack.

"But over and above that, there were belts and suspenders in a lot of the Australian banks because they had our transaction monitoring capability which gave them, believe it or not, four factors -- the password, the PIN, the passcode, and transaction monitoring -- and that story, try as we might, never really got out in the Australian press," Coviello said.

"So there was very, very, very, very, very little risk in those particular instances," he said. "I don't think we ever hyped the threat."

Coviello clearly believes that the media hyped the threat, though.

When the Lockheed story broke, he told the media that if a customer thought they were at risk then they'd replace tokens or, in the case of banks, provide transaction monitoring.

"The next day I read in the news, 'RSA to replace 40 million tokens'," he said. "Never said any such thing... The number of tokens that we ultimately replaced was a fraction, fraction, fraction of that."

Inevitably, one journalist asked, "How many, Art?"

"Yeah, that's very funny," he replied. And we all laughed.

But actually that's the core point. If 40 million isn't the right number, what is? Didn't we all just agree that we needed the facts?

"I gave you an answer," Coviello said. "What won't come out if I give you that data is the fact that no-one really needed to replace a token."

Well, we know that now, in hindsight.

There's a real need to get better, more factual reporting of cybercrime. Events like the CIA website being taken down by Anonymous get coverage because it sounds exciting.

"Very embarrassing, but defacing a website is a long way from somebody actually being inside the CIA and stealing all of its secret information," Coviello said.

"The amount of intellectual property and theft that's going on around the world today, and the amount of fraud that's going on around the world today, pales in comparison to what you see in some of these high profile breaches."

The real story needs to be told so policy-makers appropriately address issues such as information-sharing and privacy law reform, and so that companies address information security at the board level rather than leaving it to the CIO or CSO to solve.

Yet one of the more open executives from a major information security vendor can't tell us a simple, basic and rather harmless fact about their recent breach.