RSA CEO: There is Too Much Security Awareness

Wednesday, October 05, 2011



In testimony before the House Select Committee on Intelligence Tuesday, RSA CEO Art Coviello attempted to debunk the belief that attempts to increase cybersecurity awareness in general will have an impact on reducing the number of successful cybercrime operations.

While Coviello made it clear that he was not advocating the abandonment of security awareness initiatives, he did question the effect of over-reporting of security lapse events on consumer confidence and overall security efforts.

"Not a day goes by that I do not see some indication of a cyberattack in the press. ... There's too much awareness without anything being done. The problem is that when consumers see time and time again, nothing happens to correct it. They throw up their hands. There's no amount of consumer education to make them smart enough to resist attacks. They're just too sophisticated," Coviello said.

Coviello implied that the complicated nature of cyber intrusions is such that over-hyping data loss events to the public does little to stem the problem, and that the burden for increasing network security and data protection rests squarely on the shoulders of government and businesses.

"It's incumbent upon us to get together to protect the consumer... not create more awareness in public," Coviello continued.

In March of this year, RSA, the security division of EMC, announced they had suffered a breach stemming from a sophisticated attack on their network systems. What little information made available since the attack indicates that the infiltrators targeted proprietary information on RSA's SecurID two-factor authentication systems.

SecurID is a product designed to prevent unauthorized access to enterprise network systems, and RSA's customers include government, military, financial, enterprise, healthcare and insurance companies.

Analysts have since debated whether or not the characterization of the attack as being "sophisticated" was accurate or not. Could more "security awareness" amongst RSA employees have prevented the breach?

According to researchers from F-Secure, the attack payload was most likely delivered in a simple email with an infected Excel spreadsheet file. The messages read: "I forward this file to you for review. Please open and view it."

Timo Hirvonen, an F-Secure antimalware analyst, found the suspected email in August among millions of samples that had been submitted to the free file scanning service VirusTotal. The message had been sent on March 3, but had not been submitted to VirusTotal until two days after the RSA breach was announced.

"The e-mail was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached Excel file. It was a spreadsheet titled "2011 Recruitment plan.xls," said an April 1 blog posting by RSA's Head of New Technologies, Uri Rivner.

Perhaps more "security awareness" efforts aimed at RSA employees could have prompted them to scan the tainted attachment for malicious code prior to opening the document which ultimately lead to the breach or RSA's networks.

But then, to be fair to Coviello, perhaps not.

Possibly Related Articles:
RSA Security Awareness Headlines Congress hackers breach SecurID Testimony Art Coviello
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.