Experts are unclear about the level of risk facing RSA customers after the security firm revealed Thursday that hackers successfully breached its systems and stole information related to its two-factor authentication products.
RSA President Art Coviello on Thursday wrote in a notice to customers that information obtained by the hackers may teach them how to circumvent RSA's SecurID products, which include hardware token authenticators, software authenticators, authentication agents and appliances. RSA has urged customers to be more vigilant about security and issued a list of recommended actions, which mostly reiterate existing industry best practices, such as updating security products and operating systems with the latest patches.
Because RSA has so far provided few details about the attack, a number of questions remain – including how the breach may affect SecurID customers, Rich Mogull, analyst and CEO of security research and advisory firm Securosis told SCMagazineUS.com on Friday.
“Should we be highly concerned?,” he asked. "Absolutely. Do we know how big an issue it is? Not at all.”
Millions of customers worldwide use SecurID to protect access to sensitive assets, such as web servers, email clients and VPNs. To gain entry to a computer protected by SecurID, users must enter both a traditional password and the number displayed on a small hardware token. The value displayed on the token changes once a minute.
“What they've gone for is a tool that controls access to sensitive resources, particularly administrative access to the data center,” Scott Crawford, research director of security and risk management at consultancy Enterprise Management Associates (EMA), told SCMagazineUS.com on Friday. “So, it controls access to high-value assets and that really elevates the risk potential of this incident and also explains why it was a target.”
RSA has not revealed exactly how its SecurID system is affected by the breach. In a best-case scenario, the stolen information would not allow attackers to compromise the integrity of the system, Mogull said.
Of much greater concern is whether the stolen information could allow attackers to generate valid SecurID token values, which, used in combination with a password, would authenticate users. If so, users would still likely have some level of protection.
“This doesn't fully compromise the systems,” Mogull said. “You would still have the password, so you wouldn't be completely exposed.”
However, those who have improperly deployed the SecureID system and are just using the token values without a password would face a higher risk, he said.
In light of the breach, RSA recommended that SecurID customers enforce strong password and PIN policies and pay close attention to the security of their Active Directories, according to the company's notice to customers.
To avoid potential social engineering attacks, customers should re-educate employees about email and phone-based phishing scams and ensure help desk practices do not inadvertently leak information that could be useful to cybercriminals, RSA said.
The company also recommended customers increase their focus on social media security, follow the rule of least privilege when assigning administrator roles, limit remote and physical access to the infrastructure hosting critical security software, and monitor for changes in user privilege levels.
To properly evaluate the level of risk SecureID customers face, it will be important to take into account the identity of the attackers – something that RSA has not revealed, Mogull added.
Coviello categorized the attack as an advanced persistent threat (APT), which is known for its sophistication and stealth and is often leveraged to steal coveted intellectual property. The term APT was initially used by the defense industrial base to refer to attacks emanating from China for the purpose of industrial espionage. Over the past year or so, the moniker started being used to describe any advanced attack.
It is unclear whether Chinese hackers were behind the breach, but if so, government, defense industry and high-tech manufacturing customers could be most at risk.
“The big bad APT isn't interested in all of you,” Mogull wrote in a blog post Thursday.
Mogull recommended that SecurID customers contact their RSA representative to find out if they are at risk and what they can do. EMA's Crawford said he has already heard from a few end-users who are concerned.
“They basically have to wait on whatever information RSA provides about the incident before they can take any action,” he said.
In the meantime, some companies will consider alternative access control options, such as smart card-based authentication, encryption or biometics, Crawford said.