FUD-Kick 'Em While They're Down
By now, most infosec folk have digested, opined on and come to loathe the EMC (RSA) SecurID breach story that broke on March 17. Their 8-K filing contains both the open (public) letter as well as the initial guidance provided to customers on steps they should take to ensure the CIA of their SecurID infrastructure. EMC released additional information on March 22, but no official communication has gone into any real detail as to the specific vectors of the attack save for a singular line:
"Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT)."
Despite that vague speculation ("led us to believe" is not "we confidently know") on the part of EMC, it seems that there are at least two vendors who know exactly what APT-style was used and how they can stop it. The problem is that they seem to disagree on which APT it was.
Vendor #1
For various reasons, I had to redact portions of this particular communication. I can attest to the authenticity of the e-mail, but you could argue that makes me about as trustworthy as a Comodo SSL certificate. Their e-mail came soon after the breach announcement, hence me putting them first. Here is what they claim to know what happened to EMC:
You can read the full, redacted e-mail at your leisure. Thankfully, we already use their technology, so I can be confident I'm fully protected against the EMC-felling APT. (HTML6 really needs a <sarcasm> tag).
Vendor #2
Just as I was feeling smugly safe all weekend, I awoke to the following in e-mail today (as did many others):
I hadn't even had one ounce of caffeine yet, but was forced into immediately questioning my security posture and whether or not I was truly protected from these "APTs". Given the intensity of their message, these folks must have the inside scoop:
Quite the differing views on what happened and where I need to focus my protection efforts. Which one should I believe?
Who Protects Us From The Protectors?
Both vendors called out in this post seized on the opportunity to feast on the wounded carcass of a competitor who is a huge player in the IT security & compliance sector. Neither has helped me effectively communicate the real threat(s) to my stakeholders and neither has given me anything tangible to put into a roadmap for my security program. Even EMC itself caused a significant amount of churn in many organizations and has done it's own share of spreading Fear, Uncertainty and Doubt due to the sheer lack of information from their breach.
I am fully aware of how difficult the situation is for EMC and the fine line they need to walk in this situation. However, fueling the APT FUD machine was unnecessary and has only encouraged more speculation in the infosec community and seems to have brought out the worst in some other companies in this sector.
We need to make it clear to vendors that we won't stand for opportunistic scare tactics like this and we also need to continue to foster a community of sharing and open discourse between each other to keep the FUD under control.
