RSA Security

August 11, 2011, by | Start Discussion

 

One of the biggest names in the security industry goes down

I am sure everyone would have heard of the hacking of RSA, which is the security division of EMC. They have been in the news for a very long time now, for all the wrong reasons. So the question is – what went wrong?
 

Background:

In April the company admitted, that their SecurID (two-factor authentication product) was hacked. The biggest issue is that RSA has still not completely owned up and admitted to "what" was stolen from their server. Even in their open letter to the customers they are trying to be very evasive. Plus, let us be practical, it would not be in their best interest from a business perspective, to admit their products are no longer useful and people should stop using them.
 

What do the security gurus recommend?

Hence, in such a scenario, where the "trust" between the security product and the users is completely broken, we should assume the worst-case scenario; which being that the attackers stole the RSA's algorithm plus the secret seed-code which is hard-coded on all the tokens, and hence have rendered the RSA tokens completely useless. Such is the recommendation of security evangelists across the globe, including Bruce Schneier.
 

To make matters worse:

The concerns are only elevated by the fact, that an organization like Lockheed Martin (which works for the US Military and the Department of Defence), got hacked because of the breach at RSA. Although very late, but RSA did take full ownership and admitted that the hack at Lockheed happened only because the hackers were able to bypass their Two Factor Authentication (2FA), when they stole the seed-codes from the RSA servers.
 

Short term & tactical measures:

Till the time all the organizations, which use RSA tokens, can come out with a long term solution, we should consider that RSA’s 2FA, has essentially been broken and hence has become totally unreliable. All, we now have is a single factor authentication (meaning the user's ID+Password).
 
Hence, we must ensure this single level of control is well protected and there are adequate measures to ensure it cannot be compromised. Some of such controls could be:
  • Better logging/audit policy
  • Disable accounts after 3 incorrect login attempts
  • Enforce stronger password policies
  • Ensure users do not disclose their passwords, and are always wary of social engineering and phishing attempts
 

Long Terms Solution:

  • RSA has offered to replace the tokens for their customers:  This could be done if RSA can commit that these new tokens were also not part of the booty which the hackers "looted"
  • Replace the RSA tokens and purchase from a different vendor:  This could also be a good approach, as long as the new vendor is reliable and selected after some due-diligence
  • Discontinue the use of hardware tokens:  Organizations could explore the option of not using any hardware based tokens. They may consider soft tokens (software based), or even the use of sending One Time Passwords (OTP) over SMS or emails


Kunal got into the IT Security industry after completing the Cyberspace Security Course from Georgian College, Canada and has been associated with financial companies since. This has not only given him experience at a place where security is really crucial, but has also provided him with some valuable expertise in this field. He has over 5 years of experience and a number of certifications to his name, including Backtrack's OSCP, CompTIA's Security+, Cisco Router Security, ISO 27001 LA, etc.

Leave a Reply