RSA has confirmed that its SecurID was compromised following the breach earlier this year.
In an open letter, RSA executive chairman Art Coviello confirmed on 2nd June that ‘information taken from RSA in March had been used as an element of an attempted broader attack on Lockheed Martin'. Lockheed Martin has stated that the attack was thwarted and no sensitive information was intercepted.
He said: “It is important for customers to understand that the attack on Lockheed Martin does not reflect a new threat or vulnerability in RSA SecurID technology. Indeed, the fact that the only confirmed use to date of the extracted RSA product information involved a major US defence contractor only reinforces our view on the motive of this attacker.
“We remain highly confident in the RSA SecurID product as the leading multi-factor authentication solution and we also feel strongly that the specific remediations we have provided to customers will help to deliver the highest levels of customer protection.”
Coviello pointed to attacks on Epsilon, Sony, Gmail, PBS and Nintendo saying that while the attacks are totally unrelated to the breach at RSA, they do point to a changing threat landscape and have heightened public awareness and customer concern.
However following the Lockheed Martin attack, Coviello said that RSA recognised the increasing frequency and sophistication of cyber attacks generally and recent announcements ‘may reduce some customers' overall risk tolerance'.
Therefore, RSA is offering to replace SecurID tokens for customers ‘with concentrated user bases typically focused on protecting intellectual property and corporate networks'. It will also offer to implement risk-based authentication strategies for consumer-focused customers with a large, dispersed user base, who are typically focused on protecting web-based financial transactions.
“We will continue to work with all customers to assess their unique risk profiles and user populations and help them understand which options may be most effective and least disruptive to their business and their users,” he said.
“As the leader in authentication solutions, our goal is to ensure that this growing threat environment does not impede the tremendous potential and opportunity of a trusted digital world. We believe that SecurID is the most powerful multi-factor authentication solution in the industry. Our customers remain our first priority.”
Blogger Jacob Appelbaum said on his Twitter feed: “The RSA token compromise pretty much settles the ‘if we don't disclose the attackers won't know what to do' debate.”
Ori Eisen, founder and chief innovation officer at 41st Parameter, said: “These breaches prove how extremely adept certain elements have become at acquiring credentials for targets they want to penetrate.
“Authentication solutions are not instrumented to intuit when a seemingly perfect access request is actually corrupted. Designed to spot an impostors' ‘tells', fraud detection provides an additional layer of scrutiny, ensuring those who gain access with ostensibly good credentials really are who they portend to be.”
Dale G Peterson wrote on his blog that with the stolen SecurID data being used, there are questions on who is using it, who are their targets and are they selling the data? “For example, if you wanted to attack utility x, can you buy the SecurID data related to their tokens. This combined with a targeted phishing attack may be enough to get an adversary into the control centre with administrator credentials.
“For owner/operators that have secure remote access always on, it is time to look at and consider other authentication options besides the currently deployed SecurID tokens. The number of remote users is minimal, or at least they should be, so the change would not be massive like issuing new tokens or another solution to the entire company.
“If a small expenditure in time and money would remove the risk of the RSA compromise, it should be considered. Organisations that are high profile targets are at a higher risk and therefore have more incentive to change.”
Mike Smart, solutions director EMEA at SafeNet, said that organisations need to get new tokens soon, but this leaves them open to additional risk down the road.
He said: “Given how these breaches have hinged on the theft of the seed data, customers may be revisiting this fire drill again in the near future. Some one-time password (OTP) platforms can be inflexible and customers fear that a migration is a pain filled process. In the near term, customers can trade tokens for tokens but should migrate to platforms that provide them better migration capability and technology flexibility.
“It is not enough to just buy a token and rely on the vendor to guarantee you are protected. Network administrators guarding sensitive data must take ownership of their authentication management and OTP issuance as this removes the risk associated with vendor managed solutions.
“Customers would be advised to migrate to solutions which put them in control, offering capabilities like self provisioning and de-provisioning of tokens.
“Everyone knows that there will be some near term pain involved in switching out vulnerable tokens, but the wise traveller plans for the road ahead. My advice is to treat this unexpected event as an opportunity to prepare your organisation for the future.”