We have gotten a bunch of questions about what people should do, so I thought I would expand more on the advice in our last post, linked below.
Since we don’t know for sure who compromised RSA, nor exactly what was taken, nor how it could be used, we can’t make an informed risk decision. If you are in a high-security/highly-targeted industry you probably need to make changes right away. If not, some basic precautions are your best bet.
Remember that SecurID is the second factor in a two-factor system… you aren’t stripped naked (unless you’re going through airport security). Assuming it’s completely useless now, here is what you can do:
- Don’t panic. We know almost nothing at this point, and thus all we can do is speculate. Until we know the attacker, what was lost, how SecurID was compromised (assuming it was), and the potential attack vector we can’t make an informed risk assessment.
- Talk to your RSA representative and pressure them for this information.
- Assume SecureID is no longer effective. Review passwords tied to SecurID accounts and make sure they are strong (if possible).
- If you are a high-value target, force a password change for any accounts with privileges that could be overly harmful (e.g., admins).
- Consider disabling accounts that don’t use a password or PIN.
- Set password attempt lockouts (3 tries to lock an account, or similar).
I hope we’re wrong, but that’s the safe bet until we hear more. And remember, it isn’t like Skynet is out there compromising every SecurID-‘protected’ account in the world.