RSA Breach Notification

Hackers have breached the security arm of EMC, to steal information related to its RSA two-factor authentication products.  The company’s President Art Coviello revealed the sketchy details in an undated letter to customers Thursday.  “Recently, our security systems identified an extremely sophisticated cyberattack in progress being mounted against RSA.”  The vendor does not believe any personal customer or employee information was compromised in the attack.

The attack was categorized as an advanced persistent threat, typically a sophisticated and stealthy attack that is often leveraged in espionage to steal intellectual property.  Neither the letter nor a Securities and Exchange Commission filing identifies what data was stolen, but Coviello said the information obtained by the hackers may aid in circumventing RSA’s SecurID products, which include hardware authentication tokens , software authenticators, authentication agents and appliances.

Speculation indicates that attackers may have gained access to the so-called “seed values” that are used to generate the six-digit PIN that is changed by SecurID tokens every 60 seconds.  Millions of companies worldwide use SecurID to protect access to their sensitive assets, such as web servers, email clients and VPNs.  Other possibilities include the theft of source code that could provide attackers with a treasure map of vulnerabilities to exploit, or the theft of private cryptographic keys that might allow them to imitate RSA servers or register new employee tokens.

Coviello wrote, “We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.”  The company plans to “share our experiences from these attacks with our customers, partners and the rest of the security vendor ecosystem.”  Ironically, RSA has been researching the APT threat for more than a year, in attempts to develop new mitigating technologies.  In an interview last month with SC Magazine at the RSA Conference in San Francisco, RSA CTO Bret Hartman said organizations should accept that they cannot stop an APT attack and should instead focus on early detection, damage containment, and impact reduction.

RSA is strongly urging customers to:

  • Increase focus on security for social media applications and the use of those applications and websites by anyone with access to critical networks.
  • Enforce strong password and pin policies.
  • Follow the rule of least privilege when assigning roles and responsibilities to security administrators.
  • Re-educate employees on the importance of avoiding suspicious emails, and remind them not to provide user names or other credentials to anyone without verifying that person’s identity and authority.
  • Employees should not comply with email or phone-based requests for credentials and should report any such attempts.
  • Pay special attention to security around active directories, making full use of their SIEM products and also implementing two-factor authentication to control access to active directories.
  • Watch closely for changes in user privilege levels and access rights using security monitoring technologies such as SIEM, and consider adding more levels of manual approval for those changes.
  • Harden, closely monitor, and limit remote and physical access to infrastructure that is hosting critical security software.
  • Examine help desk practices for information leakage that could help an attacker perform a social engineering attack.
  • Update security products and the operating systems hosting them with the latest patches.