RSA is scrambling to reaffirm that the strength of its SecurID technology is not diminished.
There’s no clear indication yet of whether RSA will or will not be forced to make changes to SecurID as a result of what RSA Executive Chairman Art Coviello said is “an extremely sophisticated cyber attack in progress being mounted against RSA” where information was stolen “and that some of that information is specifically related to RSA’s SecurID two-factor authentication products.” SecureID is used to protect sensitive corporate data.
But there’s already speculation that attackers gained some information about the “secret sauce” for RSA SecurID and its one-time password authentication mechanism, which could be tied to the serial numbers on tokens, says Phil Cox, principal consultant at Boston-based SystemExperts. RSA is emphasizing that customers make sure that anyone in their organizations using SecurID be careful in ensuring they don’t give out serial numbers on secured tokens. RSA executives are busy today conducting mass briefings via dial-in for customers, says Cox.
RSA has yet not responded directly to inquiries. But all of the hubbub makes security experts wonder whether a security fix for SecurID may be coming because of the discovery of the breach at RSA. Jon Gossels, president of SystemExperts, is inclined to think that may well happen; Cox, not so much. But Cox acknowledges that a massive change for tokens and the RSA authentication server would be no trivial matter for customers to undertake.
With little more to go on than that right now, the question is whether customers are likely to feel a loss of confidence in using SecurID, the two-factor authentication system. Or to not have confidence in RSA the company.
“Until RSA gives out more information, enterprises should certainly hold up any planned SecurID procurements. With existing use, pay more attention to access logs until more information comes out,” says Gartner analyst John Pescatore.
Pescatore notes that just saying, as RSA did, that the breach relates to an “advanced persistent threat” “is “just trying to deflect attention from RSA’s failure to protect their systems. Most large enterprises, and certainly all major security companies with any threat experience, have been dealing with targeted threats for several years.”
Should customers give up using their SecurID tokens now?
Cox himself answers with a definite “no,” saying he himself uses SecurID.
The SecureID system includes an authentication manager and hardware and software tokens used in many forms for two-factor authentication. Should customers, after learning what they have so far about this data breach at RSA, be inclined to buy SecurID? Has RSA — which has a broad line of security products for access control, anti-fraud monitoring, security information management, encryption, and governance and compliance and is undertaking to build a cloud-security product — suffered a body blow to its reputation from which it will take long to recover?
So far, the reaction seems to be a muted wait-and-see attitude.
“Time is the teller,” says Alex Naveira, information technology security officer at Miami’s Children’s Hospital, who notes RSA has had a “solid reputation” for a long time. He doesn’t use SecurID today but based on what’s known so far about RSA’s cyberattack, he wouldn’t dismiss RSA because of it.
Scott Crawford, research director, security and risk management at consultancy Enterprise Management Associates, says it would be “useful” if RSA put out more information. But so far he says the fact that RSA has acknowledged it’s become the victim of stealthy cyberattack aimed at infiltrating and stealing information (RSA itself refers to itself as an advanced persistent threat) is not cause enough to stop using SecurID or drop RSA as a vendor.
There are bound to be concerns, since SecurID tokens are typically used for high-value transactions, he points out, such as in financial transaction or network administrative control function. And until RSA provides more information, there will be a lot of questions about what happened at RSA and how the attack took place.
In the “RSA SecurCare” note that RSA sent out to its customers, which alludes to the “extremely sophisticated cyber attack” that was identified, RSA lists a set of recommendations for SecurID customers. The fact that the first one is, “We recommend customers increase their focus on security for social media applications and the use of those applications and Web sites by anyone with access to their critical networks,” raises a few eye-brows.
“It’s interesting they mention social media first,” said Crawford. While it’s not clear why that might be, making social media the top of the list of nine specific recommendations suggests RSA perceives some specific risks there. “Perhaps it’s the information that can be gleaned about people or that it can be a way to propagate malware,” says Crawford.