Recent attacks at two U.S. defense contractors may have been detected before sensitive data was obtained, but security experts say a possible link between these attacks and stolen RSA SecurID technology should be a concern for enterprises using RSA’s two-factor authentication technology.
People within your organization need to understand that the company’s proprietary data is as valuable as a trunk full of gold.
Thomas Ianuzzi, president, Information Security Consultants Inc.
Executives at New York-based defense contractor L-3 Communications Corp. warned employees in April about an attack, according to a report Tuesday in Wired.com’s ThreatLevel blog. In an email obtained by Wired, an L-3 executive confirmed the company had been attacked using information compromised in the RSA attack, which RSA parent EMC Corp. revealed in March.
Meanwhile, Lockheed Martin, the Bethesda, Md.-based defense industry giant, is investigating a separate attack on its network. Details are scarce, but some reports have suggested hackers tried to use stolen SecurID product data to penetrate Lockheed Martin’s network remotely.
While details trickle out about both incidents, security experts say enterprises can take a lesson from these attacks and conduct a thorough data security assessment of their systems and processes to bolster authentication and access control.
Nils, a prominent white hat hacker and head of security research at U.K.-based MWR InfoSecurity, said RSA tokens can no longer be trusted. RSA has not confirmed whether its seed records were exposed during the breach, but some experts believe the vendor’s actions suggest the secret keys used to generate one-time passwords may have been exposed.
For that reason, Nils said firms using the technology should take action to bolster their primary authentication factor by requiring employees to pick stronger passwords and force them to change them more frequently.
“Shut down [all] access immediately to users who don’t immediately need access to systems,” Nils said. “Anything you can control prior to a breach should be done to limit the impact when a breach takes place.”
Nils said some firms should consider an additional layer of security around systems containing sensitive intellectual property. Most firms like L3 and Lockheed that work on highly sensitive government programs have several layers of security in place, so if, for instance, an attack penetrates the outer portion of the network, detection systems kick in and alert administrators to take action before sensitive systems or data can be accessed. U.S. defense contractors commonly repel repeated attempts by external attackers to penetrate their networks and have many systems and failovers in place to thwart attacks in progress, including shutting down network access entirely, which proved necessary in the attack against Lockheed.
To that end, Nils suggests that remote access to an organization’s most sensitive systems should be denied altogether or until further controls are put in place. Denying remote access to highly sensitive systems is a best practice, yet few enterprises are doing it, he said. Some firms using SecurID may want to consider a third-factor authentication measure and reassess who has access to the sensitive data with the goal to reduce system access to fewer employees.
“Unfortunately there are a lot of companies that don’t lock down data as much as they should or have a multilayered approach in place to delay an attacker,” Nils said.
For SecurID customers with highly sensitive information to protect, it’s possible to “rip and replace” SecurID with a viable alternative if the cash is available, Nils said, but that opens up a whole new set of issues, including putting trust in a new vendor and potentially interrupting existing IT services.
Thomas Ianuzzi, president of Jensen Beach, Fla.-based Information Security Consultants Inc., went further, saying replacing SecurID may not be prudent for most companies because even assuming the worst – SecurID customer token records were compromised in the attack against RSA – attackers would need to use sophisticated tactics to get the additional information they need to carry out an attack against a SecurID customer.
Ianuzzi, who conducts IT security planning and computer forensics for large and midsized businesses, said the majority of the firms he works with do not seek out his services until after a security breach takes place. In many of those cases, he said, attackers gained access because basic security processes have broken down.
“Enterprises generally do an awful lot of things right,” Ianuzzi said, “but they do not do an encyclopedic job and often fail to cover all the bases.”
While Ianuzzi agreed with Nils that additional layers of technology could help thwart an attack, regular, ongoing security training is also necessary to instill in employees the need for vigilance. Social engineering attacks and website drive-by attacks are all designed to gain access to passwords and when attackers have a valid password, they’re one step closer to getting the keys to the kingdom, he said.
“People within your organization need to understand that the company’s proprietary data is as valuable as a trunk full of gold,” Ianuzzi said.
There is too little information available from the recent defense contractor breaches to gauge the SecurID security risk, he said. For now, organizations should concentrate on the parts of the SecurID security issue they understand, he said. Bolster the primary factor and strengthen the security systems around servers containing sensitive data.
“I would never condemn a product or approach without information and right now we don’t have it,” Ianuzzi said of RSA SecurID. “At some point I think [RSA] will want to show the marketplace a few things and if it turns out the product is not at risk, they will trumpet that very loudly.”