FishNet Security Provides Update on SecurID Breach

RSA has released more information regarding the breach that affected SecurID on Thursday, March 17, 2011

On Tuesday, June 7, 2011, Art Coviello, RSA's executive chairman, released a letter to RSA customers. In the letter, RSA disclosed that information taken during the attack could potentially be used to target government agencies and government contractors, specifically defense secrets and related Intellectual Property (IP). RSA maintains that no PCI information was targeted. This incident does not preclude attacks to non-government related organizations; however, indications of such an attack due to this breach are less likely.

Also in the RSA letter, they addressed the June attack on Lockheed Martin, a major U.S. government defense contractor. According to RSA, the attack on Lockheed does not reflect a new threat or vulnerability in RSA SecurID technology. The Lockheed Martin attack, which had used elements taken from the RSA breach, was thwarted, according to Lockheed Martin.

RSA has expanded its security remediation program to reinforce customers' trust in RSA SecurID tokens and the company's overall security posture. As part of this, RSA is offering customers two expanded offers:

  • An offer to replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks.
  • An offer to implement risk-based authentication strategies for consumer-focused customers with a large, dispersed user base typically focused on protecting Web-based financial transactions.

The above options require customers to contact RSA and provide more information regarding their SecurID environment to determine token replacement options. As a RSA Reseller, FishNet Security can assist you in determining replacement options. Based on the remaining token life of existing tokens and requested shipping options, any costs will be provided to customers in the form of a quote.

Please contact your local FishNet Security Account Executive to further discuss these expaned offers from RSA. If you would like to pursue the expanded remediation offers from RSA, please contact RSA remediation team at the numbers below.

RSA Call-in for Customers with Questions:

For customers in the U.S., please call
+1-800-782-4362; Option #5 [RSA]; Option #1 [RSA SecurID Remediation Program]

For customers in Canada, please call
+1-800-543-4782; Option #5 [RSA]; Option #1 [RSA SecurID Remediation Program]

For International customers, please call
+1-508-497-7901; Option #5 [RSA]; Option #1 [RSA SecurID Remediation Program]

Summary of FishNet Security Original Response

On Tuesday, March 22, FishNet Security published a response summary of the breach titled "RSA SecurID Breach Summary," which included a threat model that is confirmed in RSA's recent release. Customers should understand the information offered and take prudent, thoughtful action to mitigate the elevated risk.

Previously Released FishNet Security Recommendations:

Attack Vectors - What do I need to Monitor and Mitigate?
In a worst-case scenario, the attackers have weakened the SecurID infrastructure by narrowing down the universe of possible targets, identifying the customers to target and providing specific information about their target (serial number and form-factor). Breaking down all the angles in a detailed threat model is beyond the scope of this document and must be tailored to each specific customer scenario. However, FishNet Security presents a few considerations in this regard.

The attacker still needs the following information to authenticate to the victim's infrastructure:

  1. Username tied to token serial number
  2. The user's PIN
  3. Application/infrastructure to authenticate against

Therefore, an organization using RSA SecurID needs to be worried about attacks that target the above information. These attacks can be categorized as social engineering ("SE"), theft, surveillance, secondary compromise (e.g., use of a botnet already in place within the target company) and fraud (user takes active part in providing information).

The most likely attack scenarios include the following:

  • Prioritize targets based on whatever is most important to the attacker— visibility, reputation, money, etc.
  • Purchase required information gathered via crimeware or rent a botnet already resident in target customer to gather information
  • Profile a target for high-value individuals (like a list of executive leadership on a website)
  • Make assumptions about their username based on first/last name information
  • Attempt to social engineer either the individual or helpdesk to get targeted information
  • Use external information gathering techniques such as social networking
  • Target specific individuals for token theft, or simply stealing the token long enough to lift the serial number
  • Use brute force for any unknown information

Each end-user's environment is different and subsequently the attack vectors may vary based on that environment. It is important for each customer to perform a threat analysis based on his or her unique situation.

Monitoring and Mitigation - How do I watch for and mitigate the attacks?
The advantage here is that there are a number of items the attacker does not have in order to complete a successful attack, and that getting some of those items may be more difficult than penetrating a softer target in a different way.

First and foremost, be cognizant of your status as a target within the black hat community. Are you a high-value target? Is your company visibly on the wrong side (from a hacktivist viewpoint) of certain social issues? Would you be a "feather in the cap" of a hacker group? Everyone should be vigilant and careful, but certain organizations need to take more stringent precautions.

Second, make prudent assumptions and work backwards to logical monitoring and mitigation techniques. For example, assume your seed records are in the wild and your usernames are easily guessed, but the relationship between the two is not established. So, you need to be watching for and preventing attacks aimed at gaining that seed record-to-username relationship and the PIN.

Specific recommendations include:

  • Engage your trusted Information Security provider for help with strategy and tactics, operational support and general advice.
  • Implement measures on your helpdesk to prevent sharing of the token serial number (this should only be assigned by one person during the provisioning process and subsequently does not need to be known by anyone) and never ask for a person's token serial number.
  • Obfuscate the serial number on the back of the token, since you only need it to provision. An asset tag would work well for this. Remediation for deployed tokens is difficult, but could be done in the field by the user.
  • Protect your Authentication Manager backups and follow the best practice/hardening guides, including storing physical media in safes, etc.
  • Educate users on the dangers of social engineering attacks. This is an ongoing, coordinated effort, not a one-time email. More comprehensive end-user education is also within scope here.
  • Harden your helpdesk against social engineering using a combination of education and process updates.
  • Monitor your Authentication Manager logs for brute-force attacks and out-of-profile levels of authentication failures. If you start to see a larger than normal number of PIN Guessing Attacks, that could be an indicator that someone has gained that username-to-seed record relationship.
  • Look at your PIN standards (length, complexity, rotation) and update if found lacking.
  • Make sure you are using multiple methods of detection for malware in your environment. Endpoint antivirus is not enough and will not give you an accurate picture of the botnet activity within your infrastructure.
  • Above all, do not do anything rash.Think through each action and act deliberately. An operationally sound environment is a critical piece of good information security.

Customers should continue to follow the recommended mitigation steps and take advantage of programs being offered by RSA. As your trusted information security advisor, FishNet Security can put resources at your disposal to help you make the right decisions and complete any necessary mitigation steps. Do not hesitate to reach out to FishNet Security for assistance in this matter.