After RSA hack security left to customers

You’ve probably heard by now about the break-in at security firm RSA, a division of EMC.  The hackers penetrated the servers of RSA and stole information about its RSA SecurID two-factor authentication tokens. The tokens are used for authentication by 40 million end users to access highly confidential corporate and government networks.

“Whoever attacked RSA has certain information” about the product, “but not enough to complete a successful attack without obtaining additional information that is only held by our customers,” the company said.

To compromise a SecurID deployment an attacker would need information about the token, the corporate customer, the individual user and the user’s PIN, the company said.

The attack was in the category of an Advanced Persistent Threat or APT. This means the attack could have been ongoing for days, weeks, or months. APTs are a broad class of computer attacks that typically use sophisticated and often multiple exploits to quietly breach system defenses. The goal of such an attack usually is not to disrupt the system’s operations, but to remain hidden and quietly gather information, such as proprietary source code, for as long as possible without attracting attention.

In light of the compromise to their security products, RSA is urging customers to follow a variety of security best-practices. These include: “enforce strong password and pin policies,” “re-educate employees on the importance of avoiding suspicious emails,” and to “harden, closely monitor, and limit remote and physical access to infrastructure that is hosting critical security software.”

RSA further advised customers to lock down SecurID Authentication Manager databases, review recent logs for unusually high rates of failed authentication attempts, establish strong PIN and lockout policies, and educate help desks and users about avoiding social engineering attempts to gain information.

In addition, clients of RSA might consider requiring their employees to have physical access (on premise) to the network to validate their identity, in case the criminals may have intercepted the users’ password.

The moral of the story here is if you continue to follow security best practices, with regular security audits and training, then you can mitigate even the worse type of attacks.