What to learn from the RSA SecureID breach?
RSA has finally admitted publicly that the March breach into its systems has resulted in the compromise of their SecurID two-factor authentication tokens.
Which points to:
In a letter to customers Monday, the EMC Corp. unit openly acknowledged for the first time that intruders had breached its security systems at defense contractor Lockheed Martin Corp. using data stolen from RSA.
It's a targetted attack across multiple avenues. This is a big shift in the attack profile, and it is perhaps the first serious evidence of the concept of Advanced Persistent Threats (APTs).
What went wrong at the institutional level? Perhaps something like this:
So, with a breach in the single-point-of-failure, we are looking at an industry-wide replacement of all 40 million SecureId tokens.
Which presumably will be a fascinating exercise, and one from which we should be able to learn a lot. It isn't often that we see a SPOF event, and it's a chance to learn just what impact a single point of failure has:
The admission comes in the wake of cyber intrusions into the networks of three US military contractors: Lockheed Martin, L-3 Communications and Northrop Grumman - one of them confirmed by the company, others hinted at by internal warnings and an unusual domain name and password reset process
But one would also be somewhat irresponsible to not ask what happens next? Simply replacing the SecureID fobs and resetting the secret sauce at RSA does not seem to satisfy as *a solution*, although we can understand that a short term hack might be needed.
Chief (Information) Security Officers everywhere will probably be thinking that we need a little more re-thinking of the old 1990s models. Good luck, guys! You'll probably need a few more breaches to wake up the CEOs, so you can get the backing you need to go beyond "best practices" and start doing the job seriously.
before RSA even bought security dynamics ... there were comments that secureid represented a "systemic risk" (aka various failure scenarios propagate throughout the infrastructure)
Posted by: Lynn Wheeler at June 7, 2011 11:57 AMa decade ago there were lots of programs to deploy ("something you have") smartcards as part of two-factor authentication ... requiring smartcard "readers". In the financial industry there were give-aways of (obsolute) serial-port smartcard readers that ran into enormous problems & support costs ... eventually tanking the programs and prompting rapidly spreading rumor that smartcards weren't practical (it really wasn't a smartcard problem but a serial-port smartcard reader issue). this helped with an upswing in secureid since it only required existing PC display & keyboard.
part of the issue was that only 5-6 years earlier, there were a number of financial industry presentations about moving consumer dial-up online banking to the internet. a major justification was the significant support costs related to supporting serial-port dial-up modems for proprietary dialup banking (moving to the internet effectively transfers all that responsibility to the ISP).
one of the issues was that in the short 5-6 year period ... apparently all the financial industry institutional knowledge regarding serial-port problems & support costs (whether modems or smartcard readers) was lost; ... a major requirement for USB was to eliminate lots of the serial-port issues.
Posted by: Lynn Wheelere at June 7, 2011 01:17 PMExcept the goal isn't security as you well know, the goal is pass audits and security theater. The assorted community will blame the vendor (i.e. nobody get fired for buying Microsoft/Cisco/RSA), take the patch/fix, then move on with the same practice. Nothing changes except via generational attrition short of a game changer and a RSA/token breach isn't it.
Posted by: Peter at June 7, 2011 02:13 PMAcknowledging that information taken from a hack of its IT systems in March had been used to breach Lockheed Martin computers, security products maker RSA said Monday it would replace SecurID multifactor authentication tokens for customers who typically protect intellectual property and corporate networks.
In an open letter from RSA Executive Chairman Arthur Coviello Jr. to SecurID customers posted on its website, the security unit of storage vendor EMC also offered to implement risk-based authentication strategies for consumer-focused customers with a large, dispersed user base, typically focused on protecting web-based financial transactions. ....
Posted by: Turning a breach into a selling opportunity.... at June 8, 2011 05:06 PM