RSA APT thoughts
By now people are starting to hear that RSA has been hit with an attack. Reports are vague at best, and we have very little idea how this may affect RSA customers and security in general. But I’d like to opine about a few points.
First, we, in the profession of information security, are still not taking malware seriously enough. Oh, sure, most people are running antivirus software. But we don’t really study and understand the topic. Malware gets extremely short shrift in any general security textbook. Sometimes it isn’t mentioned at all. Sometimes the descriptions are still based on those long-ago days when boot-sector infectors ruled the earth. (Interesting to see that they are coming back again, in the form of Autorun and Autoplay, but that’s simply another aspect of Slade’s Law of Computer History.) Malware has gradually grown from an almost academic issue to a pervasive presence in the computing environment. It’s the boiling frog situation: the rise in threat has been gradual enough that we haven’t noticed it.
Second, we aren’t taking security awareness seriously enough. These types of attacks rely primarily on social engineering and malware. Security awareness works marvelously well as a protection against both. RSA is a security corporation: they’ve got all kinds of smart people who know about security. But they’ve also got lots of admin and marketing people who haven’t been given basic training in the security front lines. For a number of years I have been promoting the idea that corporations should be providing security awareness training. Not just to their employees, but to the general public. For free. I propose that this is not just a gesture of goodwill or advertising for the companies, but that it actually helps to improve their overall security. In the modern computing (and interconnected communications) environment, making sure somebody else knows more about security means that there is less chance that you are going to be hit.
(Third, I really hate that “APT” term. “Advanced Persistent Threat” is pretty meaningless, and actually hides what is going on. Yes, I know that it is embarrassing to have to admit that you have been tricked by social engineering [which is, itself, only a fancy word for "lying"] and tricked badly enough that somebody actually got you to run a virus or trojan on yourself. It’s so last millennium. But it’s the truth, and dressing it up in a stylish new term doesn’t make it any less so.)