Four steps to take if your business depends on RSA SecurID tokens

Businesses should reassess the risks to their assets from two-factor authentication hack

With the theft of sensitive data about RSA's SecurID technology, large businesses should reassess the risks to the assets the two-factor authentication deployment is supposed to protect, a risk management expert advises.

"You have to ask yourself if you are a big enough shop that you could be a target," says John Pironti, president of IP Architects, a security consulting firm. That's because attackers who might make use of the stolen information will look for victims that have the richest cache of data to loot, he says.


Whereas before the theft businesses might have had a high degree of confidence that SecurID was a strong authentication protection, now they should consider that it might be compromised, Pironti says.

RSA hasn't detailed what was stolen, but the fact that the company made a public announcement -- including a filing with the Security and Exchange Commission -- indicates that some fundamental piece of the technology has fallen into attackers' hands, he says, and businesses need to take specific steps:

1. Update their threat and vulnerability analysis to elevate SecurID as a potential vulnerability. Many businesses regarded the technology as solid and not representing a significant source of vulnerability, Pironti says.

2. Pore over logs looking for failed login attempts using false user names.

3. Monitor failed SecurID attempts, something that might not have been done because the technology was trusted. In general, security personnel should pay more attention to the activities of employees using SecurID.

4. Consider alternatives to go to if it turns out SecurID has in fact been compromised. In that case businesses should start looking for a third factor for authentication such as smartcards, biometrics or digital certificates and perhaps consider migrating away from SecurID, he says.

Worst case: Thieves stole the master key to RSA's pseudo-random number generator and can manufacture phony ones to break into corporate networks, Pironti says.

So far there's no evidence that has happened, but if it does, businesses need to have a fallback plan for what they will do, Pironti says. "The system would still require a user name and password, but now you have reduced confidence that this is the person who they say it is," he says.

Because of the capital and operational costs of deploying SecurID, it is almost always used to protect access to businesses' most valued assets and high-value transactions, Pironti says, so anything protected by it is a likely target.

He leans toward believing the thieves stole something fundamental to how SecurID works, not something that could be used against particular customers or particular environments. Otherwise RSA would have kept the incident low-key, contacting only those customers affected. The general announcement indicates that any SecurID customer faces a new risk, he says.

He says he hasn't heard about any increase in compromised networks that are protected by SecureID. "There haven't been spikes in public breach activity," he says.

Pironti has been telling his clients that stealing core security technology is a prime target of attackers because that can undermine the security of vast amounts of data and transactions. "It's a great business opportunity from a hacker's standpoint," he says.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitylegalETAIcybercrimersa

More about LANRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place