No excuses for Lockheed Martin cyber-attack

Reports that Lockheed Martin is blaming an apparently successful hack of its IT systems on an earlier breach of RSA Security’s system have been dismissed as “smoke and mirrors”.

Whilst weekend newswires were citing Lockheed Martin, the US defence contractor, as laying the blame for its data breach at RSA Security’s door, it should instead have been looking at its own IT security review procedures.

The RSA Security breach occurred in mid-March, which has given its users more than two months to review their reliance on RSA Security’s technology on their ITsec systems. I’ve always preached the need for multiple layers of security – including the use of two-factor authentication – so the question here is: what has Lockheed Martin’s IT department been doing for the last ten weeks?

It’s interesting to note that my colleagues over at NSS Labs said back in March that the RSA Security attack was a strategic move to grab the virtual keys to RSA’s customers. More than anything, however, that entire affair should have triggered alarm bells ringing in any corporate IT security office, especially given RSA’s deafening silence at the time.

Let’s put it quite simply: If the company that supplies the locks to your office is reported to have had its master keys stolen, what do you do? You change your office locks to those from another supplier.

And this is exactly what any competent IT security manager should have started doing, as soon as the RSA Security breach was reported. “This is contingency planning 101 material”.

In fact, the RSA Security hack in mid-March should have triggered a review of an organisation’s entire authentication security and its reliance on products from a single vendor.

Multi-layered security also means using technology from multiple vendors that uses a different approach to defending the corporate digital realm.

If you start the planning and review process from the premise that your IT systems will eventually be breached, and then design your security defences on this basis, you end up with an intrinsically more secure system.

Modern IT security is all about building layers of defence on a modular basis, using today’s security tools – including multi-factor authentication with integrated redundancy and fail-safe systems. If one element is compromised, you switch in other elements, as laid down in your IT security contingency plans.

For Lockheed Martin’s IT security managers to blame an apparent successful incursion into their systems on a ten-week old widely-reported breach of one of their key ITsec suppliers is diverting publicity from its own security process failings.

Security companies shouldn’t store customer keys on their premises – all keys should be randomly generated within the customers own premises, which means the customer is in control of their own security and therefore you don’t need to trust any third party manufacturer.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Steven Watts brings 25 years’ of industry experience to his role at the helm of Sales & Marketing for SecurEnvoy. He founded the company with Andrew Kemshall in 2003 and still works tirelessly to grow the company in new and established markets. His particular value is market and partner strategy; having assisted in the development and design of the products, designed the pricing strategy and recurring revenue model that has been so key to the businesses growth and success. Before starting SecurEnvoy, Steven was responsible for setting up nonstop IT, the UK’s first IT security reseller in 1994. Prior to setting out on his own, Steven worked as Sales Director at the networking and IT division of Comtec, and had started his career in office solution sales in 1986.