RSA, The Security Division of EMC Corp. will replace SecurID tokens for some of its largest customers following several attacks against government contractors believed to involve weaknesses with the two-factor authentication mechanism.
Tokens created by RSA after the attack should not be vulnerable, assuming that RSA’s new precautions are effective.
Mark Diodati, authentication expert and research vice president, Gartner Inc.
In an open letter to RSA SecurID customers issued Monday, RSA President Art Coviello confirmed that the attack on Lockheed Martin used an element of SecurID. Coviello said RSA has already replaced tokens at government agencies and companies in the defense sector “as an additional precautionary measure.” Bethesda, Md.-based Lockheed thwarted the SecurID attack before cybercriminals could access its sensitive systems. The company told the New York Times that it was replacing 45,000 SecurID tokens.
Coviello said RSA would extend its replacement program, offering to provide SecurID tokens for customers with “concentrated user bases.” The company is also offering monitoring services to its financial industry customers, typically large banks and brokerage firms. RSA said those firms, using SecurID for consumers, would receive “risk-based authentication strategies” to protect web-based financial transactions.
“We remain highly confident in the RSA SecurID product as the leading multi-factor authentication solution and we also feel strongly that the specific remediations we have provided to customers will help to deliver the highest levels of customer protection,” Coviello said. “However, we recognize that the increasing frequency and sophistication of cyber attacks generally, and the recent announcements by Lockheed Martin, may reduce some customers' overall risk tolerance.”
RSA has been notably quiet since it acknowledged a breach of its systems in March that exposed its SecurID authentication technology to cybercriminals. In an earlier interview with SearchSecurity.com, a source close to RSA, confirmed that the company would replace security tokens for “high risk customers.” The company also retooled its SecurID manufacturing processes and supply chain management practices.
The recent contractor breaches show that the tokens associated with the stolen information should now be considered compromised, wrote Mark Diodati, an authentication expert and research vice president at Gartner Inc. In a June 2 blog entry, Diodati urged customers to demand new SecurID tokens. “The delivered tokens must be manufactured after implementation of RSA’s post-attack security procedures,” he wrote.
“The reputation of the RSA SecurID OTP technology may be badly tarnished due to this attack. However, the real damage is limited to the token information that was stolen. In other words, tokens created by RSA after the attack should not be vulnerable, assuming that RSA’s new precautions are effective,” Diodati wrote.
Security experts recommend firms using SecurID reassess user access rights within their organization. Remote access to an organization’s most sensitive systems could be denied until further controls are put in place. A third-factor authentication measure can also be used for employees that must access sensitive data, said Nils, a prominent white hat hacker and head of security research at U.K.-based MWR InfoSecurity.