RSA SecurID News - What We Know, What We Don't
It's been a busy day hearing from clients on the recent announcement by RSA Executive chairman Art Coveillo that the vendor's SecurID products may experience a vulnerability due to a compromise of data on the popular two-factor authentication product's design. Our Faculty have been covering this story in many different outlets.
What do we know? While the vendor doesn't explicitly share what's been compromised in the way of information, saying only, "information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation," you can bet that it's inclusive of - or believed to be inclusive of - some fundamental IP.
We may never find out exactly what was compromised, though I would not be surprised to see some legal action at a federal level to find out - after all, there are a lot of those devices around the necks of clearance-wielding beltway beauraucrats, though not nearly as stylishly as when donned by IANS Faculty member Marcus Ranum. What was compromised is the red herring here and what matters is whether or not your organization is relying solely on the RSA solution to protect critical assets. Possessing a defense-in-depth strategy that incorporates rigorous data classification, detail role-based access control, and a detailed logging implementation (for users and events) means that you've likely only experienced a weakening in one piece of a multiple component information protection strategy.
If you were contemplating replacing the SecurID tool in your authentication arsenal, you've likely decided to move away from the product at this point. But bear in mind, due to the supposed sophistication of this attack, it's possible that any other solution vendor could experience similar. This breach was not - as far as we know - due to any recklessness on the part of RSA. Therefore, simply shifting risk is not a valid response. If you're looking to explore new means to conduct 2nd factor authentication, we're always happy to have a conversation, give us a call and set up an Ask An Expert with our Faculty.
In sum, the big "who" and "what" questions around what's been touched aren't answered and - barring government intervention - won't be. But here are the questions you should be asking your team:
- Do I have a sufficient defense-in-depth strategy?
- Do I know what authentication schema are protecting critical assets and do I have a complete picture of what's "critical"?
- What tools are in my arsenal to identify suspicious access activity?
- Who has acces to what data, and how frequently are they accessing it?
If you can answer all or most of these questions, you're on the right path. This will be an interesting saga to see play out, given its status as a flagship product for RSA, the SecurID breach will have some serious impacts for shareholders (no coincidence these docs were filed with the SEC) and the bigger question remains, once inside, did the perpetrators of this attack simply stop at the SecureID secret sauce? Would you?
Archives
- March 2012 (2)
- February 2012 (2)
- January 2012 (3)
- December 2011 (5)
- October 2011 (1)
- September 2011 (1)
- August 2011 (4)
- July 2011 (4)
- June 2011 (5)
- May 2011 (7)
- April 2011 (4)
- March 2011 (4)
Next Event
Space is limited, reserve your spot today