Managing the risk of the RSA SecurID cyber attack

EMC Corporation recently announced that its IT infrastructure had been hacked following "an extremely sophisticated cyber attack", and that sensitive information relating to RSA SecurID tokens had been compromised. RSA SecurID tokens are a common component of two-factor authentication used by many organisations to increase security when logging into computer systems. Rumours suggest the seed record – used to generate the codes for user authentication – has been compromised.

In theory, a compromise at seed level could allow the next viable SecurID code and all subsequent ones for that token to be predicted, having intercepted two valid codes in a row. In practice, however, the attacker would need to know which token was being used to match up the serial number, and also have the PIN. Further, SecurID is also typically used as the second factor in authentication, and any hacker would also need to compromise the first (typically a username and password). Further, although the compromise creates a significant potential security weakness, the crack is not yet available on the open market, and for now we might assume that this information remains privileged. The protection offered by SecurID still remains better than operating without it.

Organisations should take quick action to secure the continued use of RSA SecurID tokens

Although details of the attack are still emerging, PA's view, at the time of writing and based on information provided by EMC, is that the compromise does not currently warrant withdrawal of SecurID or equivalent tokens as the stolen information has not been spread publicly.

There are a number of key actions organisations can take to help reduce the immediate risk and to support the continued use of such tokens:

• Alert users to be vigilant about any activities which might be attempts to gain further information, such as a PIN number or token serial number. These very likely could take the form of social engineering attacks such as requests to 'revalidate their SecurID tokens'.
• Ask users to report anything unusual relating to log-ins, including a sudden inability to login or "last log-in" times which do not correspond to legitimate user activity so that these can be further investigated.
• Monitor critical authentication events using reports generated by RSA Authentication Manager.
• Use a protective monitoring capability (where available) to seek anomalies in the use of tokens (for example, odd log-in times, location of origin of log-in, first actions on log-in etc).
• Conduct a risk analysis to assess what measures they should be putting in place for their own specific circumstances.

Depending on individual circumstances, organisations may wish to take additional protective actions. They should also stay in touch with EMC for detailed advice and support.