RSA warned its customers yesterday that its network had been breached and data had been stolen that could affect customers using its popular SecurID token authentication technology. Although details are scarce, here's what we know so far.
Someone launched an "extremely sophisticated cyberattack" on RSA in the form of an Advanced Persistent Threat and data was stolen related to the SecurID technology, the company said in a statement on its Web site. APT attacks are often used for espionage, targeting source code and other information within a company or government agency. They typically involve knowledge of a target's network, key employees, and operations, and can use multiple techniques to get insider information such as social engineering and exploits of unpatched holes in software. APT attacks against Google and other companies that were revealed last year used an exploit for a vulnerability in Internet Explorer that could have been delivered to insiders via e-mail. RSA has declined to provide more details on the incident at this time.
What is SecurID?
SecurID is a two-factor authentication system that organizations use to provide more protection for sensitive data and networks than just a password. With two-factor systems, someone accessing a network needs to provide something they know, which is a password or PIN, and something they have, which can be a thumbdrive-size hardware token or keyfob, or software on a mobile device. The token provides a one-time six-digit or eight-digit number a user types in along with the password so that the system can verify that the person is authorized to access the network. A different number is used every time the user logs in.
How serious is this?
RSA said it is confident that the information stolen does not enable a successful direct attack on any SecurID customers. However, the data could be used to "reduce the effectiveness" of an implementation as part of a broader attack, the company said. There is no evidence that other products are affected or that personally identifiable data on customers or employees was compromised, according to RSA.
However, given that SecurID is the most popular form of two-factor authentication and is heavily used in government agencies and financial institutions, a compromise with customer systems could ultimately impact a lot of people. There are about 40 million SecurID hardware deployments and 250 million deployments on mobile devices.
Who is behind the attack?
RSA has provided no information publicly as to the origin of the attack. However, sources told CNET that China is a likely bet. Google said the attack against it originated from China, which sources say is using whatever means it can to narrow the technology gap with the U.S. "If this is really APT, it means China," said Rich Mogull, chief executive of Securosis. Likely targets would be in the defense and industrial markets and high-tech manufacturing, he said. "If this is China they're not going to be trying to break into bank accounts."
The big question is what data was stolen. Experts wondered if the attackers were able to access a database storing so-called seed data--including unique numbers for each token that, combined with the time of day, are used to generate the one-time passcodes that flash on the devices every 30 seconds or 60 seconds. Attackers armed with that information could potentially use it to create their own pseudo-random numbers and pretend to be someone authorized to access a sensitive network.
What should companies with SecurID deployments do?
Without more information about what data was stolen, it's difficult for companies to assess the risk. However, high-profile targets should be prepared for anything. "The safe bet is to assume that the system is completely compromised, although that doesn't mean everyone is going to be a target of attack," Mogull said.
Any organization using SecurID should make sure they have enabled passwords for accessing sensitive information, use strong passwords, and rotate them frequently, he said. They should also force a password change for accounts with high-level privileges, consider disabling accounts that don't use a password, and set password attempt lockouts so that they are blocked after three tries, he suggests in a blog post.
Companies might also want to monitor for multiple accounts that are repeatedly failing authentication attempts and remind users that the serial number of the token should be kept secret. And IT administrators should make sure they are running proper access control and firewall software, as well as updated security software and patch operating systems and other programs being used.
RSA issued recommendations to customers that include: focusing on security for social-media applications and Web sites accessed by anyone with access to their critical networks; reminding employees to avoid opening suspicious e-mails and providing usernames or other credentials to people without verifying the person's identity, as well as avoid complying with e-mail or phone-based requests for such information; paying special attention to securing active directories; watching closely for changes in user privilege levels and access rights; and hardening, monitoring, and limiting remote and physical access to infrastructure that hosts critical security software.
Are there alternatives for authentication?
There are competing authentication products on the market, but Mogull said he would not advise changing systems, which is an expensive move, just yet. "If this drags out and RSA doesn't tell us for a while what happened, then people maybe will need to switch products. It's way too early to start ripping SecurID out now."
One source speculated that the breach will prompt increased interest for the open-source Google-Authenticator one-time passcode generators for mobile devices.
While the breach raises many questions for SecurID customers, it's not necessarily a huge black eye for RSA at this point, sources said. No company--security or other--is immune to these types of attacks, according to Mogull. "This is the name of the game moving forward," he said.
Updated March 21 at 9:57 a.m. PT to clarify that SecurID tokens can have six-digit or eight-digit codes that display every 30 seconds or 60 seconds.