Experts were unclear about the level of risk facing RSA customers after the security firm revealed last Thursday that hackers breached its systems to steal information related to its two-factor authentication products.
RSA President Art Coviello on Thursday wrote in a notice to customers that information obtained by the hackers may teach them how to circumvent RSA's SecurID products, which include hardware token authenticators, software authenticators, authentication agents and appliances.
RSA has urged customers to be more vigilant about security and issued a list of recommended actions, which mostly reiterate existing industry best practices, such as updating security products and operating systems with the latest patches.
Because RSA has provided few details about the attack, questions such as how the breach may affect SecurID customers remained, said Rich Mogull, analyst and CEO of security research and advisory firm Securosis.
“Should we be highly concerned?,” he asked. "Absolutely. Do we know how big an issue it is? Not at all.”
Millions of customers worldwide use SecurID to protect access to sensitive assets, such as web servers, email clients and VPNs. To gain entry to a computer protected by SecurID, users must enter a password and the number displayed on a small hardware token. The value displayed on the token changes every minute.
“What they've gone for is a tool that controls access to sensitive resources, particularly administrative access to the data center,” Scott Crawford, research director of security and risk management at consultancy Enterprise Management Associates said
“So, it controls access to high-value assets and that really elevates the risk potential of this incident and also explains why it was a target.”
RSA has not revealed how its SecurID system was affected by the breach. In a best-case scenario, the stolen information would not allow attackers to compromise the integrity of the system, Mogull said.
Of much greater concern is whether it could allow attackers to generate valid SecurID token values that used with a password would authenticate users. If so, users would still likely have some level of protection.
“This doesn't fully compromise the systems,” Mogull said. “You would still have the password, so you wouldn't be completely exposed.”
However, those who have improperly deployed the SecureID system and are just using the token values without a password would face a higher risk, he said.
In light of the breach, RSA recommended that SecurID customers enforce strong password and PIN policies and pay close attention to the security of their Active Directories, according to the company's notice to customers.
To avoid potential social engineering attacks, customers should re-educate employees about email and phone-based phishing scams and ensure help desk practices do not inadvertently leak information that could be useful to cybercriminals, RSA said.
The company also recommended customers increase their focus on social media security, follow the rule of least privilege when assigning administrator roles, limit remote and physical access to the infrastructure hosting critical security software, and monitor for changes in user privilege levels.
To properly evaluate the level of risk SecureID customers face, it will be important to take into account the identity of the attackers – something that RSA has not revealed, Mogull added.
Coviello categorised the attack as an advanced persistent threat or APT, which is known for its sophistication and stealth and is often leveraged to steal coveted intellectual property. The term was initially used by the defence industrial base to refer to attacks emanating from China for the purpose of industrial espionage. Over the past year or so, the moniker started being used to describe any advanced attack.
It is unclear whether Chinese hackers were behind the breach but, if so, government, defence industry and high-tech manufacturing customers could be most at risk.
“The big bad APT isn't interested in all of you,” Mogull wrote in a blog post Thursday.
Mogull recommended that SecurID customers contact their RSA representative to find out if they are at risk and what they can do. EMA's Crawford said he has already heard from a few end-users who are concerned.
“They basically have to wait on whatever information RSA provides about the incident before they can take any action,” he said.
In the meantime, some companies will consider alternative access control options, such as smart card-based authentication, encryption or biometics, Crawford said.