A recently announced recall of RSA’s SecurID product is causing waves across the industry. Navigating these events and considering the implications, we review some of the aspects and analyze where the industry stands in relation to these conditions.
The details on the various federal contractor breaches have continued to emerge in recent news. Anofficial recent announcement from RSA acknowledged the previously rumored link between the initial RSA incident to the Lockheed Martin intrusion. L-3 and Northrop Grumman are likely to have been attacked through the same vector. This alarming series of breaches has caught the attention of media and customers alike. Among other sources, China has been mentioned as a possible source for these attacks. Meanwhile, reports of major defense contractors replacing RSA SecurID tokens with other token technology have been seen.
RSA initially went on a campaign of silence, refusing to make statements to the nature of the attacks, and in fact dismissed the notion that anything had taken place. While understandable given that their clients involve national security, a number of critics have expressed their concern with the lack of information that was released.Attempts to speak to even the most social security insiders within RSA have been met with stone cold denials and outright refusals. A prominent RSA security technologist was quoted as having frustrations with the company’s mission of silence –a wide lockdown on not only these incidents, but any and all infosec topics, related to RSA, its clients, or not.
In response to this series of events and growing exposure, RSA has crafted and released an “Open Letter to RSA SecurID Customers” In it, Art Coviello, Executive Chairman of RSA, asserts that this “does not reflect a new threat or vulnerability in RSA SecurID technology”. He also adds that due to customer overall risk tolerance based on increased attacks in general and more specifically, this acknowledged incident, that the company is putting for the following:
- An offer to replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks.
- An offer to implement risk-based authentication strategies for consumer-focused customers with a large, dispersed user base, typically focused on protecting web-based financial transactions.
The letter also makes mention that once certain characteristics of the initial RSA attack were analyzed and the purpose of the said initial attacks clearly targeted defense secrets, the organization worked with companies on replacement of their token technology.
Total Recall: The Missing details
What exactly was stolen? There is little being reported by the company on this, but a little review and knowledge of how SecurID works indicates that either seed keys were taken or master keys along with account information, possibly passwords kept by RSA and part of the stolen information. Questions abound and the recall itself doesn’t necessarily ensure better security. Some hard questions need to be asked. Replacing up tokens on the order of a reported forty million SecurID tokens is a massive undertaking, without a doubt.
A reoccurring element in information security is the threat of social engineering. In repeated cases, it has been found that a social engineering compromise was the first vector of intrusion, time and time again. For RSA, it has been reported that the initial attack took place by means of social engineering, mainly phishing and an exploit that was tied to a Flash exploit launched from a Microsoft Excel file. If there is a lesson to be learned from this and other social engineering hacks, it is that a comprehensive security system that includes among others: detection, response, forensics, perimeter, and user education are critical in today’s day and age. Organizations need to pay attention to the sum of a security strategy, and it takes considerable effort to create effective user community security awareness.
Expanding on EMC’s notion of customer risk tolerance, the ramifications of the EMC compromise are clear. In the security world, a regular evaluation of risk is essential to the integrity of an organization’s security strategy. Although the likelihood of an attack could potentially be statistically minimized and practically eliminated, the fact is that the risk paradigm has changed. Where organizations once had two factor authentication constructs in place – Token and Username with Password, they are hypothetically now in a position where they are left with only the Username and Password with any measure of integrity. The utilization of a username and password construct is a fallible construct vulnerable to written passwords, keyloggers, password sharing, and so on. The fact of the matter is, organizations will be evaluating and re-evaluating their stance about where the technology fits into their risk evaluation as more and more information comes out. The prospect of a token recall exacerbates that evaluation.
Before replacing SecurID tokens, be sure to evaluate the impact of what that means to the organization. Be sure that users understand the security of their technology devices, and evaluate the details that RSA will hopefully be sharing with their customers. Be sure that their technology replacement effort is not just a reactionary refresh for the sake of customer confidence. Ensure that the critical SecurID seeds for your organization are secure, ideally stored within your own control, but potentially within the control of RSA, secured in a significant manner. As a number of organizations are moving to other authentication technologies, such as phone authentication, and other token competitors that have low buy-in for adoption, take care to validate their technology for integrity and practicality. Keep in mind that to date, RSA has been the standard-bearer, the giant in this space and with fundamental disclosure and securing of their technology base, that should maintain through this very ugly storm of incidents.
[Cross-posted at Wikibon Blog]