Page 1 of 2
RSA’s decision to re-issue SecureID tokens following a wave of cyber attacks targeting the two-factor authentication solution is a necessary, if tardy gesture, but fails to fully re-establish trust in the effectiveness of the products, several partners said Wednesday.
In response to a recent spate of high-profile attacks targeting Lockheed Martin, Northrop Grumman and L3 Communications, Art Coviello executive chairman of RSA, the Security Division of EMC, announced Tuesday that RSA planned to replace SecureID tokens for specific customers focused on protecting intellectual property and corporate networks, and implement risk-based authentication strategies for consumer-oriented customers aimed at protecting financial transactions.
“We are expanding our security remediation program to reinforce customers’ trust in RSA SecurID tokens and in their overall security posture,” said Coviello, in the open letter to RSA customers Tuesday. “It is important for customers to understand that the attack on Lockheed Martin does not reflect a new threat or vulnerability in RSA SecurID technology. Indeed, the fact that the only confirmed use to date of the extracted RSA product information involved a major U.S. defense contractor only reinforces our view on the motive of this attacker.”
However, many RSA channel partners contend that the security company’s efforts came too little too late, following more than two months after the breach was first detected, and only after a high-profile company disclosed that they were the victim of a cyber attack.
An RSA spokesman late Wednesday afternoon said that the company would prepare a response to partners' concerns soon.
“They should have replaced those tokens earlier when they got hacked,” said one New Jersey-based solution provider who asked to speak off the record. “People are assuming the seed values are compromised. If that’s what happened, they should have replaced them earlier.”
Partners say that as expected, the SecureID hack and the public cyber attacks that followed on major defense contractors have been a source of alarm for customers, many of whom have requested alternatives to RSA’s two-factor authentication solutions altogether.
“We actually have customers asking to replace their RSA tokens,” said Andrew Plato, CEO of Beaverton, Ore.-based Anitian Enterprise Security. “This is a potentially big issue. And RSA needs to respond to this quickly. I think they should offer a trade-in for all affected tokens; provide new tokens or new encryption seeds that have not been compromised, if that is possible.”
RSA’s gesture to replace customers’ tokens follows days after defense contractor Lockheed Martin publicly confirmed last week that it had become the victim of a “significant and tenacious” cyber attack executed by hackers exploiting a security vulnerability in SecurID tokens, used for two-factor authentication for remote VPN access.
The giant weapons manufacturer first became aware of the problem in May, when IT administrators detected a network disruption that appeared to be an external intrusion. The company subsequently shut down its computer systems and embarked on the process of re-issuing SecureID tokens to many of its employees while requiring a password reset for the more than 120,000 workers at the company.
Since then, two other defense contractors, Northrop Grumman and L3 Communications -- reportedly experienced similar attacks by hackers targeting its SecureID tokens.
“The hackers are going after the highest level targets and of course the sensitivity of that is off the charts. Re-issuing tokens is probably the right move. It’s probably their only move,” said Jonathan Dambrot, CEO of Warren, N.J.-based Prevalent Networks.