Thursday, March 17
In a disclosure made by RSA today, they indicated that they have been breached by an "extremely sophisticated cyber attack" which has partially compromised the SecurID information which millions of clients use to provide strong authentication to services.
It is not yet clear what information was breached or what the impact will be to RSA customers, but for now I would suggest that people stay tuned to ensure that they take appropriate action based on what RSA and others release.
Update 1 - Found the recommendations made by RSA to customers regarding how to better protect their environments. I have added my comments on what these recommendations could mean to RSA.
• We recommend customers increase their focus on security for social media applications and the use of those applications and websites by anyone with access to their critical networks.
This could mean that part of the RSA breach was associated with a social media application attack vector - maybe employees reusing passwords across internal and cloud-based sites?
• We recommend customers enforce strong password and pin policies.
Could mean that the data that was compromised is related to the seed and token records kept by RSA, and with less reliance on this part of the SecurID solution, that customers must make the corresponding passwords and pins used in combination with the token more robust.
• We recommend customers follow the rule of least privilege when assigning roles and responsibilities to security administrators.
Could mean that the attack vector was related to additional privileges assigned to RSA security administration staff.
• We recommend customers re-educate employees on the importance of avoiding suspicious emails, and remind them not to provide user names or other credentials to anyone without verifying that person’s identity and authority. Employees should not comply with email or phone-based requests for credentials and should report any such attempts.
Could mean that social engineering was part of the attack vector, sounds very similar to the HBGary breach here.
• We recommend customers pay special attention to security around their active directories, making full use of their SIEM products and also implementing two-factor authentication to control access to active directories.
• We recommend customers watch closely for changes in user privilege levels and access rights using security monitoring technologies such as SIEM, and consider adding more levels of manual approval for those changes.
Could mean that users privileges were escalated as part of the attack, and that regular users were given privileges without any alerting of this fact.
• We recommend customers harden, closely monitor, and limit remote and physical access to infrastructure that is hosting critical security software.
Critical security software could mean the RSA intellectual information or customer information. Could also refer to the infrastructure.
• We recommend customers examine their help desk practices for information leakage that could help an attacker perform a social engineering attack.
Could mean that RSA staff were pre-texted, difficult to train out-sourced helpdesks.
• We recommend customers update their security products and the operating systems hosting them with the latest patches.
Could mean that the attack vector took advantage of previously known vulnerabilities with patches available but just not applied.
Hopefully we continue to hear more about the attack.