As an epidemic of computer hacking incidents targeting companies and government agencies has raised computer security concerns across the board, one particular attack on a computer security firm has upped the ante in the battle between hackers and companies who must protect the sensitive data of customers, partners, and employees.
In March, Art Coviello, executive chairman of RSA, the security division of storage provider EMC Corp., posted a letter online to RSA customers, acknowledging that RSA had discovered an attack by hackers. The company is not saying how close it is to identifying any suspects in the attacks.
The attack on RSA is alarming for two reasons: First, since RSA is itself a computer security firm with an elaborate defense mechanism, it shows the level of sophistication of hackers and the lengths they will go to break into corporate systems. The technology had been considered “close to impenetrable,” says Ted Theisen, a director in the secure information services practice with Kroll Ontrack. “The biggest takeaway is that there is no one infallible method of information security.” Second, since RSA provides data security systems and services to 40 million businesses, it's possible that data thieves obtained information that could help them in attacks against RSA customers. According to Coviellos' letter, some of the information could be used to reduce the effectiveness of a current two-factor authentication implementation.
This was followed by another letter in May, in which Coviello said that characteristics of the attack indicated the perpetrator likely was targeting defense secrets and related intellectual property. He also said that the information taken from RSA had been used as part of a broader attack on Lockheed Martin. In order to allay customers' concerns, RSA was offering to replace the customers' tokens—physical devices similar to a key fob that provide a layer of authenticity and that generate personal identification numbers—and to implement risk-based authentication strategies. Some companies are now considering new security technologies, such as smart cards, that provide additional security features.
The recent incident at RSA, as well as those at Sony, Epsilon, and other companies, provides compliance officers a natural “opportunity to review their firms' complete information security posture,” says Theisen.
Additionally, it's critical to recognize that every company, no matter its size or industry, has sensitive information, says Scott Vernick, attorney with law firm Fox Rothschild in Philadelphia. Even the smallest firm may have employees' Social Security numbers, customers' or suppliers' bank account information, or intellectual property. As a result, “every business has to understand how it stores data and the entry points to get to the data,” Vernick says. Once this is determined, the next step is determining if the appropriate security measures are in place.
Two-Factor Security
RSA security is based on what's known as two-point security, Theisen says. That is, it relies both on something the user knows, such as a User identification code, as well as a physical object that the user has, in this case a security token or fob. Before gaining access to an RSA-protected system, such as a corporate network, an individual must enter a user ID, as well as the passcode shown on his or her token at that point in time. With RSA, the fob applies an algorithm to what is known as a “seed file,” or a list of numbers to generate a new passcode, unique to that token, on a regular basis, generally every 30 or 60 seconds. The RSA software will compare the passcode entered by the user with its own calculations, to ensure that the two match, at the same time.
At this point, it's not yet known how severe the RSA breach was, says Ed Schlesinger, head of the department of electrical and computer engineering at Carnegie Mellon University. While there's been plenty of speculation, RSA has not publicly announced whether the hackers obtained the “seed files,” a list of numbers that are combined with an algorithm to generate the sequence of PINs unique to each token.
Given the limited information available, it's difficult to identify the specific steps any company should take to protect its information and ensure it's complying with applicable data protection regulations. However, several fundamental principles come into play.
“For now, there isn't a perfect security system that if you install, you're done. We can't say we have the magic bullet.”
—Ed Schlesinger,
Head of Electrical, Computer Engineering Dept.,
Carnegie Mellon University
First, companies can't simply ignore the breach, and trust that their systems are fine. “From a legal standpoint, you can't sit on your hands,” says Vernick. Once you're aware of a security intrusion that may involve the systems in your organization, you need to take steps to ensure that your data and systems are protected, he adds. That means doing more than simply waiting for new tokens.
Companies that worked with RSA will want to talk with the company to find out more. “What is the nature of the hack? Is there an obvious fix?” says Schlesinger. “You have to understand who's breaking in, what flaw they found, and how universal the issue is.”
These firms also will want to review their log-in records, to see who was trying to access their systems, Theisen says. For failed log-in attempts, they'll want to track the IP addresses of the computers used, along with the dates and time zones, to see who is trying to access the system. This also presents an opportunity to review and clean up the credentials of anyone who is able to log in remotely. Often, employees who've been gone from the company for several years, or who have no need to work remotely, have active log-in credentials.
RSA REACHES OUT
The following excerpt is from RSA Executive Chairman Art Coviello's letter to RSA SecurID customers:
It is important for customers to understand that the attack on Lockheed Martin does not reflect a new threat or vulnerability in RSA SecurID technology. Indeed, the fact that the only confirmed use to date of the extracted RSA product information involved a major U.S. defense contractor only reinforces our view on the motive of this attacker.
We remain highly confident in the RSA SecurID product as the leading multi-factor authentication solution and we also feel strongly that the specific remediations we have provided to customers will help to deliver the highest levels of customer protection. However, we recognize that the increasing frequency and sophistication of cyber attacks generally, and the recent announcements by Lockheed Martin, may reduce some customers' overall risk tolerance.
As a result, we are expanding our security remediation program to reinforce customers' trust in RSA SecurID tokens and in their overall security posture. This program will continue to include the best practices we first detailed to customers in March, and will further expand two offers we feel will help assure our customers' confidence:
An offer to replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks.
An offer to implement risk-based authentication strategies for consumer-focused customers with a large, dispersed user base, typically focused on protecting Web-based financial transactions.
We will continue to work with all customers to assess their unique risk profiles and user populations and help them understand which options may be most effective and least disruptive to their business and their users.
RSA's technologies, including RSA SecurID authentication, help protect much of the world's most critical information and infrastructure. The threats to digital information continue to escalate. As the leader in authentication solutions, our goal is to ensure that this growing threat environment does not impede the tremendous potential and opportunity of a trusted digital world. We believe that SecurID is the most powerful multi-factor authentication solution in the industry.
We will continue to invest heavily in both our SecurID and our risk-based authentication technologies. We will provide additional factors for strong authentication. We will integrate these solutions with our cybercrime intelligence to better identify suspicious behavior targeted at networks, transactions and user sessions. We will ensure that these technologies provide trusted access to virtual and cloud computing resources, leveraging our Cloud Trust Authority. And we will help customers more effectively create the kinds of layered defense capabilities essential to combat today's advanced threats by drawing on our broad portfolio of data loss prevention, security event management, deep packet inspection technologies, and our extensive services expertise.
Source: Open Letter to RSA SecurID Customers.
This risk assessment process needs to include the participation of a range of C-level executives, says Bill Conner, president and chief executive officer with Entrust, a provider of security solutions. “The C-level has to be more engaged. It's not just compliance and risk. It's the CEO.”
Change Technology?
While the breach of RSA appears to have been serious, most experts discourage a sudden, wholesale move to another security method. “This is not a question of having bad software or hardware. Given the complexity of the way systems are structured, there are going to be weaknesses,” Vernick says.
At the same time, the RSA incident appears to have generated greater interest in smart access card technology. As its name suggests, embedded within a smart card is a computer chip that stores and transacts data. Smart cards provide another method of authenticating to the network, because along with the card and password, the user also needs a device on his or her computer to scan the card, Theisen says. “But, it can be compromised in the same way that RSA has been, although I'm not sure if anyone has done that yet,” he adds.
Smart cards also may offer tighter security because the authentication information is contained within the card and not in a central database, says Conner. That's because each card is independent, so there's no one place to compromise a group of cards.
However, not all enterprise applications currently work with smart cards, as the technology is just starting to become more prevalent, he adds. And, says Theisen, “It can be compromised in the same way that RSA has been.”
No matter what technology is used, layering security applications can provide extra protection, says Theisen. For instance, companies may want to combine full disk encryption and RSA when working with sensitive information. While this would require another round of user IDs and passwords before a user can log on, “if a hacker contacts an encrypted disk, he or she can't do much,” he adds.
It also makes sense to review with employees the risk of criminals using social engineering to obtain the information they're after. For instance, a fraudster may call an employee claiming to be from the corporate help desk, and ask for an employee's log-in credentials in order to fix some problem. This is an opportunity to let your staff know what sorts of e-mails or calls should raise red flags. “You're only as strong as your weakest employee,” Schlesinger says.
You'll also want to keep in mind that these steps will have to be repeated on a regular basis. “For now, there isn't a perfect security system that if you install, you're done,” Schlesinger says. “We can't say we have the magic bullet.”
No comments yet