US defence contractor Lockheed Martin is reportedly blaming an apparently successful hack of its IT systems on an earlier breach of RSA Security's system, but this is nothing but smoke and mirrors, writes Steve Watts, co-founder of SecurEnvoy.
Instead of laying the blame for its data breach at RSA Security's door, Lockheed should instead have been looking at its own IT security review procedures.
The RSA Security breach occurred in mid-March, which has given its users more than two months to review their reliance on RSA Security's technology on their ITsec systems, so what has Lockheed Martin's IT department been doing for the past 10 weeks?
It is interesting to note that our colleagues over at NSS Labs said back in March that the RSA Security attack was a strategic move to grab the virtual keys to RSA's customers. More than anything, however, that entire affair should have triggered alarm bells ringing in any corporate IT security office, especially given RSA's deafening silence at the time.
Let's put it quite simply: If the company that supplies the locks to your office is reported to have had its master keys stolen, what do you do? You change your office locks to those from another supplier. That is exactly what any competent IT security manager should have started doing as soon as the RSA Security breach was reported. This is contingency planning 101 material.
In fact, the RSA Security hack in mid-March should have triggered a review of an organisation's entire authentication security and its reliance on products from a single supplier.
Multi-layered security means using technology from multiple suppliers that uses a different approach to defending the corporate digital realm.
If you start the planning and review process from the premise that your IT systems will eventually be breached, and then design your security defences on this basis, you end up with an intrinsically more secure system.
Modern IT security is all about building layers of defence on a modular basis, using today's security tools - including multi-factor authentication with integrated redundancy and fail-safe systems. If one element is compromised, you switch in other elements, as laid down in your IT security contingency plans.
For Lockheed Martin's IT security managers to blame an apparent successful incursion into their systems on a 10-week-old widely reported breach of one of their key ITsec suppliers is diverting publicity from its own security process failings.
This was first published in June 2011