June 07, 2011
RSA Pawned - Black Queen runs amoc behind US lines of defence
What to learn from the RSA SecureID breach?
RSA has finally admitted publicly that the March breach into its systems has resulted in the compromise of their SecurID two-factor authentication tokens.
Which points to:
In a letter to customers Monday, the EMC Corp. unit openly acknowledged for the first time that intruders had breached its security systems at defense contractor Lockheed Martin Corp. using data stolen from RSA.
It's a targetted attack across multiple avenues. This is a big shift in the attack profile, and it is perhaps the first serious evidence of the concept of Advanced Persistent Threats (APTs).
What went wrong at the institutional level? Perhaps something like this:
- A low-threat environment in the 1990s
- led to success of low-threat SecureId token
- (based on non-diversified model that sourced back to a single company),
- which peace in our time translated to lack of desire to evolve in 2000s,
- and the industry grew to love "best practices with a vengeance" as everyone from finance to defence relied on the same approach.
- and domination in secure tokens by one brand-name supplier.
- Meanwhile, we watched the evolution of attack scenarios, rolling on through the phishing and breaches pincer movement of the early 200s up to APTs to now,
- while any thought & leadership in the security industry withered and died.
So, with a breach in the single-point-of-failure, we are looking at an industry-wide replacement of all 40 million SecureId tokens.
Which presumably will be a fascinating exercise, and one from which we should be able to learn a lot. It isn't often that we see a SPOF event, and it's a chance to learn just what impact a single point of failure has:
The admission comes in the wake of cyber intrusions into the networks of three US military contractors: Lockheed Martin, L-3 Communications and Northrop Grumman - one of them confirmed by the company, others hinted at by internal warnings and an unusual domain name and password reset process
But one would also be somewhat irresponsible to not ask what happens next? Simply replacing the SecureID fobs and resetting the secret sauce at RSA does not seem to satisfy as *a solution*, although we can understand that a short term hack might be needed.
Chief (Information) Security Officers everywhere will probably be thinking that we need a little more re-thinking of the old 1990s models. Good luck, guys! You'll probably need a few more breaches to wake up the CEOs, so you can get the backing you need to go beyond "best practices" and start doing the job seriously.
In contrast, the very next post discusses where we're at when we fail to meet "best practices!"
Posted by iang at June 7, 2011 11:45 AM
before RSA even bought security dynamics ... there were comments that secureid represented a "systemic risk" (aka various failure scenarios propagate throughout the infrastructure)
a decade ago there were lots of programs to deploy ("something you have") smartcards as part of two-factor authentication ... requiring smartcard "readers". In the financial industry there were give-aways of (obsolute) serial-port smartcard readers that ran into enormous problems & support costs ... eventually tanking the programs and prompting rapidly spreading rumor that smartcards weren't practical (it really wasn't a smartcard problem but a serial-port smartcard reader issue). this helped with an upswing in secureid since it only required existing PC display & keyboard.
part of the issue was that only 5-6 years earlier, there were a number of financial industry presentations about moving consumer dial-up online banking to the internet. a major justification was the significant support costs related to supporting serial-port dial-up modems for proprietary dialup banking (moving to the internet effectively transfers all that responsibility to the ISP).
one of the issues was that in the short 5-6 year period ... apparently all the financial industry institutional knowledge regarding serial-port problems & support costs (whether modems or smartcard readers) was lost; ... a major requirement for USB was to eliminate lots of the serial-port issues.
Except the goal isn't security as you well know, the goal is pass audits and security theater. The assorted community will blame the vendor (i.e. nobody get fired for buying Microsoft/Cisco/RSA), take the patch/fix, then move on with the same practice. Nothing changes except via generational attrition short of a game changer and a RSA/token breach isn't it.
Acknowledging that information taken from a hack of its IT systems in March had been used to breach Lockheed Martin computers, security products maker RSA said Monday it would replace SecurID multifactor authentication tokens for customers who typically protect intellectual property and corporate networks.
In an open letter from RSA Executive Chairman Arthur Coviello Jr. to SecurID customers posted on its website, the security unit of storage vendor EMC also offered to implement risk-based authentication strategies for consumer-focused customers with a large, dispersed user base, typically focused on protecting web-based financial transactions. ....