RSA Hacked; SecurID Customers At Risk?

RSA customers could be at risk after the company's two-factor SecurID tokens fell victim to what it's calling sophisticated cyber-attack.

Art Coviello, executive chairman of Bedford, Mass.-based RSA, the security arm of EMC, told customers in an open letter this week that RSA had recently identified an attack in progress against RSA and its investigation revealed that an Advanced Persistent Threat (APT) was carried out against the company and information specifically related to RSA's SecurID two-factor authentication products was extracted.

Two-factor authentication is the process where users provide two independent identifying factors to obtain access to systems. In the case of SecurID, the two authentication factors would be a password and a physical token. RSA's SecurID products are used on PCs, USB drives and other devices for an extra layer of security that goes beyond user names and passwords to grant access to systems.

Coviello wrote that it does not appear that any customers were attacked, but that the data gathered could be used to weaken the defense provided by SecurID products.

"While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack," Coviello wrote in the letter detailing the attack on RSA's SecurID offering. "We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations."

The attack comes roughly a month after RSA hosted its annual RSA Conference, which has become the de facto IT security conference in the nation.

Coviello wrote that there is no evidence that any customer security related or other RSA products have been victims of the attack. No EMC products were affected, Coviello added.

"It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident."

Coviello said RSA will mount a full court press to ensure that it provides its SecurID customers tools, processes and support needed to bulk up their systems in the face of the attack. RSA's partners will play a key role.

"Our full support will include a range of RSA and EMC internal resources as well as close engagement with our partner ecosystems and our customers' relevant partners," Coviello wrote.

NEXT: RSA SecurID Attack > Customer Next Steps

In RSA's SecurCare Online Note detailing the attack, RSA recommended that SecurID users take the following steps:

• increase focus on security for social media applications and the use of those applications and Web sites by anyone with access to critical networks.
• enforce strong password and PIN policies.
• follow the rule of least privilege when assigning roles and responsibilities to security administrators.
• re-educate employees on the importance of avoiding suspicious e-mails, and remind them not to provide user names or other credentials to anyone without verifying that person's identity and authority. Employees should not comply with e-mail or phone-based requests for credentials and should report any such attempts, RSA added.
• pay special attention to security around active directories, making full use of SIEM products and also implementing two-factor authentication to control access to active directories.
• watch closely for changes in user privilege levels and access rights using security monitoring technologies such as SIEM, and consider adding more levels of manual approval for those changes.
• harden, closely monitor and limit remote and physical access to infrastructure that is hosting critical security software.
• examine their help desk practices for information leakage that could help an attacker perform a social engineering attack.
• update their security products and the operating systems hosting them with the latest patches.