RSA Clients Manage RisksCompany Provides Advice Following SecurID Attack
UAB Medicine is stepping up its vigilance in reviewing RSA Authentication Manager logs to look for warning signs, such as a high number of failed attempts to authenticate, says Terrell Herzig, UAB's information security officer (See: RSA Breach: A CISO's Action Items).
"We are increasing our monitoring quite a bit and stepping up our education of users," Herzig says.
The Birmingham, Ala.-based academic medical center has about 2,000 SecurID token users that utilize the authentication technology when they remotely access clinical information systems. In recent weeks, UAB has been making the transition from hardware-based to software-based tokens. So far, UAB has noticed no problems with its tokens in the wake of the attack against RSA, Herzig notes.
Meanwhile, Tenable Network Security, which uses SecurID tokens for staff members who work remotely, is using the hacking incident "as a teaching moment, as they say, to remind people of the importance of social engineering and to be ready to avoid that kind of thing," says Marcus Ranum, CSO. The impact of the breach on Tenable has been negligible, he says. "We may have to upgrade some software," he adds. (See: RSA Breach: Customer's Perspective).
And Gib Sorebo, chief cybersecurity technologist at the consulting firm SAIC, stresses, "No one should be ripping out their SecurID deployments" as a result of the attack.
Authentication Action StepsFor now, UAB is cutting back on implementing new tokens, focusing only on those that are "absolutely necessary for our clinical staff" while it waits to hear from RSA about remediation steps it will take to restore any security measures that have been compromised, Herig says.
Herzig advises SecurID clients to educate end-users about such issues as never revealing their token serial numbers, PINs or passwords. And they need to be taught "to avoid biting on social engineering gimmicks, such as clicking on a URL in an e-mail and being redirected to a site where you're asked for those credentials."
Similarly, SAIC's Sorebo stresses: "What is clear is that without the PIN that is usually user generated, an attacker won't have what he needs to be successful, so watching for any e-mails linking to sites that ask someone to reset their SecurID would be advisable. I would tell people that they should never enter their SecurID PIN on any website in response to an e-mail even if it appears to come from a trusted source."
Sorebo says organizations using SecurID "should also look for attempts to brute force the PIN and implement account lockouts after a certain number of retries. Some say three, but 10 is probably a better number given that some 'fat fingering' happens. However, unless a hacker can tie the seed information potentially located on the RSA server, it is highly unlikely that there will be a successful compromise of SecurID."
RSA is stressing that its customers need to make sure their Authentication Manager database is secure, Hezig notes. UAB already segments its infrastructure so that the authentication database runs on secure servers protected by multiple firewalls, he explains. Plus, UAB gives only a limited number of staff members access to authentication servers. "You want to keep those keys to the kingdom locked," he says.
Nature of RiskThe nature of the potential risk to users of the authentication technology, as a result of the attack against RSA's SecurID products, remains unclear, Herzig says. RSA characterized the attack as an advanced persistent threat.
In its "Frequently Asked Questions" background information sent to customers, RSA states: "To the best of our knowledge, whoever attacked RSA has certain information related to the RSA SecurID solution, but not enough to complete a successful attack without obtaining additional information that is only held by our customers. We have provided best practices so customers can strengthen the protection of the RSA SecurID information they hold. RSA SecurID technology is as effective as it was before against other attacks."
Herzig speculates about two possibilities for the nature of the attack against the SecureID products. The attack may have compromised some internal sensitive information about how RSA's algorithms or server technology worked. If that proves to be the case, "it could result downstream in either some extensive upgrades to SecurID or even an organization having to go through a redeployment of their SecurID product," he says.
Another possibility, according to Herzig, is that the attack "was a compromise of seed values or the generation of a certain code from the SecureID product, which could result in the recall of some tokens."
If a hacker could get a SecurID end-user to disclose their PIN code or other critical information, they could "assume their identity" and then access information, Herzig says. UAB, however, minimizes the risk involved in using tokens by taking two key steps, Herzig says. Users who remotely access systems have access to only a limited amount of information, he notes. Plus, "We do not build our remote authentication services into our automatic directory authentication services; we require the user to have a separate ID and password for those remote services."
'Decent Wakeup Call'While minimizing the risks to individual companies such as his own, Tenable's Ranum says the RSA SecurID breach is significant to the global information security industry.
"This is a decent wakeup call," he says. "People really need to take [RSA's] advice to heart whether they're RSA customers or not."
Beyond what he describes as a current "media circus," Ranum says the RSA incident ultimately could be a positive experience. "It's given RSA a chance to show they can handle this in a mature manner. It's given us the chance to have a little teaching moment about the importance of social engineering. It also shows that malware is not something that you can just blow off. These spear phishing attacks and these types of deep penetration are a serious problem."
Christopher Paidhrin, security compliance officer at Southwest Washington Medical Center in Vancouver, Wash., says the RSA attack "represents another order-of-magnitude threat in the cyber-security landscape. We thought we knew what 'sophisticated attacks' meant, but now we have a new, more expanded threat definition. I envision a growing need for 'unified security' in the same context of 'unified communications.' I can't imagine any sizable organization feeling safe without a SIEM (Security Information and Event Management) solution."
RSA's letter on protective action.
RSA's answers to frequently asked questions about the attack.
Editorial Director Tom Field contributed to this report.