The RSA Security Breach - 12 Months Down the Technology Turnpike

It's been 12 months since the security world woke to the horror that RSA Security's systems had been compromised and tens of millions of SecurID hardware tokens would have to be re-issued to clients.
|

It's been 12 months since the security world woke to the horror that RSA Security's systems had been compromised and tens of millions of SecurID hardware tokens would have to be re-issued to clients.

The sophisticated multi-pronged attack that struck RSA Security has resulted in the high profile IT security vendor overhauling the manufacturing and distribution of its SecurID tokens.

The attack compromised RSA Security's network of about 40 million tokens and involved the use of stolen SecurID information to launch an attack on a key RSA Security customer, Lockheed Martin, the US defence contractor in the early spring of last year.

While RSA officials have sought to minimise the fallout from the security faux pas - pointing to the fact that it has staged a free re-issue of SecurID tokens to its many users- critics point out that it took the security vendor a week before it started talking to the press and, by implication, its customers about the problem.

It then took RSA until June to reveal the technology that had been compromised by the attack, after which is started the lengthy process of re-issuing tokens to its clients.

That process - though ostensibly free - has actually cost clients using the hardware tokens many millions of dollars, pounds and euros in the staff costs of handling the re-issue, as well as significant other costs. As any CFO will confirm, whilst there are direct and indirect costs in any business activity, both categories involve the expenditure of money.

Art Coviello, the firm's executive chairman, may be relieved that a sizeable majority of RSA's customers have stayed with the company, but the reputational damage may come back to haunt him - and his successors - as many clients are locked into the technology because of already-committed costs.

But as updates are required, many clients will quietly look elsewhere, looking to the many alternatives that are available.

Last October, RSA president Tom Heiser revealed that the March 2011 attack on his firm's systems was a two-pronged attack, rather than a single incursion, and involved a mid-hack switch of attack vectors that his IT teams were aware of whilst they were happening.

"The remote attack was adapted to meet RSA's internal naming convention", he told his audience at RSA Europe in October 2011.

Despite Heiser's platitudes to his audience, it should be remembered that he was - in the main - speaking to clients who have been supportive of the firm's products and services - as well as a minority whose companies are locked into RSA's technology and must therefore learn to live with the attack.

It is interesting to note that security researcher Brian Krebs reported last October that the RSA hackers might have hit more than 760 firms.

"Security experts have said that RSA wasn't the only corporation victimized in the attack, and that dozens of other multinational companies were infiltrated using many of the same tools and Internet infrastructure. "

A year on, and a number of smaller security solution vendors are seeing RSA customers shopping around for alternative solutions rather than depend on the physical token. As an industry we have seen a huge spike in demand from RSA customers looking for a change, with many now turning to tokenless™ two-factor authentication which uses a mobile phone as the authentication medium.

A fundamental flaw with RSA's approach still means that critical customer security keys (seed records) remain with the manufacturers leaving the possibility of this happening again. A far better approach is taken by tokenless vendors that securely create these keys as required within your own company's security server.

As we approach the 12 months anniversary of the RSA Security hack, organisations that have been affected by having to re-deploy their `free' reissued hardware tokens would do well to reflect on the fact that - had they been using tokenless 2FA technology - the costs and timescales involved with issuing new tokens would have been significantly less.