On 3 June 2011, RSA, the Security Division of EMC, confirmed that Lockheed Martin had proof that hackers attacked its network partly by using data stolen in a March 2011 attack on RSA. Subsequently, on 6 June 2011, RSA announced a program to replace customers’ RSA SecurID one-time password (OTP) authentication product tokens
For current customers, RSA has published guidance that focuses on putting in place better protection of the systems that maintain the userid-to-token mappings and of the token seed values.
However, the risk here is higher than it first might appear. Two thoughts:
1) Protection strategies absolutely must include better protection of endpoints where reportedly the hackers were able to obtain the user-to-token mappings using a keystroke-logger or Zues-like Trojan. It is typically much easier to target end-users as a weak link rather then enterprise servers. This problem is compounded when contractors, home users and other non-enterprise managed assets use SecurID for strong authentication. On these systems, the enterprise may or may not have a security stack present (like an endpoint protection platform), the users may run as administrators and the patching discipline is unknown. End-users are the weakest link and end-users coming from unmanaged devices make this even weaker.
2) The attack on RSA was an organized attack, likely a state-sponsored Advanced Persistent Threat. The assumption that the hackers would obtain the seed key values from RSA and then go target enterprises may be far too optimistic. It is quite possible that the hackers obtained at least some of the user-to-token mappings before the attack on RSA occurred, knowing that once the breach at RSA became public, enterprises would place stronger controls on the systems that contained the user-to-token mappings. In other words, we might be trying to close the barn door after the horse is already out.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.