The news of a security breach at one of the world’s trusted security firms has raised concerns among companies across the globe. While RSA is not releasing the details around the breach at this time, which they have categorized as an “advanced persistent threat”, they have indicated that the target of the attack as being information related to the SecurID two-factor authentication products.
With the lack of details being exposed, it leaves a lot of ambiguity in the minds of security experts and the estimated 40 million SecurID users in 30,000 organizations worldwide.
In RSA’s open letter to customers, they have indicated that “While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.” While somewhat vague, this statement has led many to believe that perhaps the seed records of tokens were the target of the attack. At the time of notice, RSA has not confirmed nor denied this theory. With the seed records, it is conceivable that an attacker could misrepresent themselves to an authentication agent as a legitimate token using a tool such as Cain & Abel’s RSA SecurID Token Calculator.
With the knowledge that such tools exist, the second component of two-factor authentication (an individual’s personal PIN) should always be closely safeguarded. However, many organizations use a simple PIN policy with just 4 numeric characters. It is feared that through social engineering, the usernames and these PINs may be revealed to a hacker; completing the necessary two-factor authentication. Although we may not want to admit it, we all know of users who may divulge this information to a phishing email; perhaps with the subject: “Urgent Action Required Regarding SecurID Breach”.
Whether this was the intent of the hackers or something more malevolent, it has reinforced the notion to all IT security teams that the authentication process to gain access to resources, whether a VPN connection or a critical web application or file share, deserves thorough review. The following guidelines have been taken from RSA’s customer communications. For many organizations they represent best practices that are already in place, nevertheless this serves as a good opportunity to verify that written policy is indeed being followed. Although written for SecurID, the recommendations do not end with RSA SecurID implementations; all authentication servers should be reviewed with the same in-depth process.
RSA Recommends that customers:
- Increase their focus on security for social media applications and the use of those applications and websites by anyone with access to their critical networks.
- Enforce strong password, PIN and lockout policies.
- Follow the rule of least privilege when assigning roles and responsibilities to security administrators.
- Re-educate employees on the importance of avoiding suspicious emails, and remind them not to provide user names or other credentials to anyone without verifying that person’s identity and authority. Employees should not comply with email or phone-based requests for credentials and should report any such attempts.
- Pay special attention to security around their active directories, making full use of their SIEM products and also implementing two-factor authentication to control access to active directories.
- Watch closely for changes in user privilege levels and access rights using security monitoring technologies such as SIEM, and consider adding more levels of manual approval for those changes.
- Harden, closely monitor, and limit remote and physical access to infrastructure that is hosting critical security software.
- Update their security products and the operating systems hosting them with the latest patches.
- Secure the Authentication Manager database and ensure strong policy and security regarding any exported data.
- Review recent Authentication Manager logs for unusually high rates of failed authentications and/or next token code events, both of which could indicate suspicious activity.
- Examine their help desk practices for information leakage that could help an attacker perform a social engineering attack.
So, are your tokens safe? Until we hear otherwise, there does not seem to be any reason to panic and cease the usage of SecurID tokens for two-factor authentication. With some careful infrastructure review and end-user training, the usernames and PINs can remain safe, even if token seeds have been exposed. IT departments should continue to be vigilant and follow the above recommendations from RSA as well as any other organization-specific security policies to ensure the security of the infrastructure.
Chris Lembo is a Senior Consultant at Zensar