With the theft of sensitive data about RSA's SecurID technology, large businesses should reassess the risks to the assets the two-factor authentication deployment is supposed to protect, a risk management expert advises.
"You have to ask yourself if you are a big enough shop that you could be a target," says John Pironti, president of IP Architects, a security consulting firm. That's because attackers who might make use of the stolen information will look for victims that have the richest cache of data to loot, he says.
Whereas before the theft businesses might have had a high degree of confidence that SecurID was a strong authentication protection, now they should consider that it might be compromised, Pironti says.
RSA hasn't detailed what was stolen, but the fact that the company made a public announcement, including a filing with the Security and Exchange Commission, indicates that some fundamental piece of the technology has fallen into attackers' hands, he says, and businesses need to take specific steps:
- Update their threat and vulnerability analysis to elevate SecurID as a potential vulnerability. Many businesses regarded the technology as solid and not representing a significant source of vulnerability, Pironti says.
- Pore over logs looking for failed login attempts using false user names.
- Monitor failed SecurID attempts, something that might not have been done because the technology was trusted. In general, security personnel should pay more attention to the activities of employees using SecurID.
- Consider alternatives to go to if it turns out SecurID has in fact been compromised. In that case businesses should start looking for a third factor for authentication such as smartcards, biometrics or digital certificates and perhaps consider migrating away from SecurID, he says.
Worst case: Thieves stole the master key to RSA's pseudo-random number generator and can manufacture phony ones to break into corporate networks, Pironti says.
So far there's no evidence that has happened, but if it does, businesses need to have a fallback plan for what they will do, Pironti says. "The system would still require a user name and password, but now you have reduced confidence that this is the person who they say it is," he says.
Because of the capital and operational costs of deploying SecurID, it is almost always used to protect access to businesses' most valued assets and high value transactions, Pironti says, so anything protected by it is a likely target.
He leans toward believing the thieves stole something fundamental to how SecurID works, not something that could be used against particular customers or particular environments. Otherwise RSA would have kept the incident low key, contacting only those customers affected. The general announcement indicates that any SecurID customer faces a new risk, he says.
He says he hasn't heard about any increase in compromised networks that are protected by SecureID. "There haven't been spikes in public breach activity," he says.
Pironti has been telling his clients that stealing core security technology is a prime target of attackers because that can undermine the security of vast amounts of data and transactions. "It's a great business opportunity from a hacker's standpoint," he says.