RSA SecurID compromise: What should users do next?

RSA has finally come clean that the data breach it suffered in mid-March is linked to a hacker attack on defence contractor Lockheed Martin in May.

RSA has finally come clean that the data breach it suffered in mid-March is linked to a hacker attack on defence contractor Lockheed Martin in May.

But exactly where does this leave the estimated 40 million users of RSA's SecurID remote access tokens?

RSA executive chairman Art Coviello says the attack on Lockheed does not reflect a new threat or vulnerability in RSA SecurID technology, but still RSA has undertaken to replace SecurID tokens for customers with "concentrated user bases" typically focused on protecting intellectual property and corporate networks.

In an open letter to customers, Coviello also offered to offer to implement risk-based authentication strategies for consumer-focused customers with a large, dispersed user base, typically focused on protecting web-based financial transactions.

Security experts are advising all eligible organisations to take up RSA's offers as quickly as possible, especially those protecting intellectual property, but say some clarity on the scope of replacement would be useful as the term "concentrated user base" is vague.

Although the undertakings are commendable, RSA really has little choice if it is going to limit long-term damage to its reputation as a supplier of secure remote network access tokens, and in the meantime, while tokens are being replaced, SecurID customers are potentially at risk of attack.


What should organisations that use SecureID be doing?

There are several things users of RSA tokens could and should be doing to minimise the risks, says James Lyne, director of technology strategy at Sophos.

Organisations should ensure they use tokens in a mixed mode, he says. Some systems are configured to use a username and token code only (obviously very weak now) or username and pin+tokencode (4 digits between an attacker and your data). "Configure use of a mixed mode including strong passwords as extra mitigation. The combination will make attacks much harder," said Lyne.

Organisations can limit risk by reducing the attack surface by restricting the resources that are accessible using SecurID tokens to the bare minimum, and by configuring authentication logging they can keep on top of logged on users and potential brute force attempts.

Lyne suggest that organisations use this opportunity to consider why they use two-factor authentication and consider their identity strategy in general. "Some may want to consider use of digital certificates, for example, in addition to tokens to restrict access to specific devices," he said.

Overall, organisations need to be diligent with other security controls such as anti-malware. "Attackers may use other points of infrastructure to launch attacks to steal data," warned Lyne. Keeping systems patched, up-to-date and protected by modern security controls, he says, will potentially help spot abuse.


Tackling the growing threats to digital data

In the wake of a string of high-profile data breaches, few would disagree with Coviello that the threats to digital information continue to escalate, but what remains to be seen is if RSA's technology can keep pace.

While Coviello says SecurID is the most powerful multi-factor authentication solution in the industry, he says RSA will continue to provide additional factors for strong authentication, in what is perhaps the clearest indicator yet that RSA recognises it will have to up its game to keep customer data safe.

Read more on IT risk management