RSA Breach: Token Replacement is 'Smart'Marcus Ranum on RSA's Offer to Replace SecurID Tokens
But even though he is confident in RSA's technology, Ranum still thinks customers would be smart to accept the company's offer of replacement tokens.
"Anytime a vendor tells you 'Hey, there's a problem with our stuff; you really want to fix it,' that's a clue that there's a problem with their stuff and you really want to fix it."
Security vendor RSA on June 6 offered to replace its SecurID multifactor authentication tokens for customers who typically protect intellectual property and corporate networks (see RSA Moves to Replace Customers' Multifactor Authentication Tokens). The offer comes a week after the revelation that the loss of information from an attack on RSA's IT system last March led to a breach of the computers of defense contractor Lockheed Martin, a SecurID customer (see RSA SecurID Breach Could be at Root of Network Disruption).
Ranum, a noted information security expert, is also an RSA customer. In this interview, he:
- Assesses RSA's latest move to rebuild the SecurID brand reputation.
- Explains why the data pilfered from RSA servers last March shouldn't cause problems for newly issued tokens.
- Discusses the importance of educating users about how to employ the authentication tokens.
Ranum, since the late 1980s, has designed a number of groundbreaking security products including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall and NFR's Network Flight Recorder intrusion detection system. He has been involved in every level of operations of a security product business, from developer, to founder and CEO of NFR. Ranum has served as a consultant to many FORTUNE 500 firms and national governments, as well as serving as a guest lecturer and instructor at numerous high-tech conferences. In 2001, he was awarded the TISC "Clue" award for service to the security community, and also holds the ISSA lifetime achievement award. In 2005 he was awarded Security Professional of the Year by Techno Security Conference.