We have gotten a bunch of questions about what people should do, so I thought I would expand more on the advice in our last post, linked below.
Since we don’t know for sure who compromised RSA, nor exactly what was taken, nor how it could be used, we can’t make an informed risk decision. If you are in a high-security/highly-targeted industry you probably need to make changes right away. If not, some basic precautions are your best bet.
Remember that SecurID is the second factor in a two-factor system… you aren’t stripped naked (unless you’re going through airport security). Assuming it’s completely useless now, here is what you can do:
- Don’t panic. We know almost nothing at this point, and thus all we can do is speculate. Until we know the attacker, what was lost, how SecurID was compromised (assuming it was), and the potential attack vector we can’t make an informed risk assessment.
- Talk to your RSA representative and pressure them for this information.
- Assume SecureID is no longer effective. Review passwords tied to SecurID accounts and make sure they are strong (if possible).
- If you are a high-value target, force a password change for any accounts with privileges that could be overly harmful (e.g., admins).
- Consider disabling accounts that don’t use a password or PIN.
- Set password attempt lockouts (3 tries to lock an account, or similar).
I hope we’re wrong, but that’s the safe bet until we hear more. And remember, it isn’t like Skynet is out there compromising every SecurID-‘protected’ account in the world.
Reader interactions
5 Replies to “How Enterprises Can Respond to the RSA/SecurID Breach”
Do you really know who’s accessing your most sensitive networked information assets? Unfortunately, security built on static, reusable passwords has proven easy for hackers to beat.
Best regards,
Dan
This Advanced Persistent Threat Country is starting to affect almost everyone I know.
RSA must give us more details, did their SIEM fail?
Will we need to replace tokens?
Will RSA “make good” on any loss due to their failure?
Hack should shed light on vulnerability
I think this is the beginning of the end of “Unilateral” authentication mechanisms for secure sites. It’s immaterial if the unilateral auth mechanism used is: UserID/Password (whatever strength), Matching Pictures, Grid Patterns and/or Hard/Soft Tokens.
Whatever the final forensics are on this breach, it should alert our attention that server validation needs to be a part of internet security – at least for sensitive resources.
SecureAuth Blog: http://alturl.com/dcrr8
Garret Grajek
CTO, SecureAuth Corp.
http://www.gosecureauth.com
i’ve got another idea of how to respond: switch over to using yubikeys instead of rsa securids 🙂
Rich,
I’m afraid you’re wrong “that SecurID is the second factor in a two-factor system… you aren’t stripped naked”. The token is the second factor, but the SecurID authentication system typically handles all the authentication. So if they compromised RSA’s auth server, it might allow access without even checking the personal remembered PIN.
The risk depends a lot on layering. If you use SecurID purely for VPN access, but have good (non-RSA) authentication for host access, I hope you have good internal security, which should keep you okay. On the other hand, if you funnel *all* enterprise authentication through a SecurID server you might be toast.