The RSA Security breach – 12 months down the technology turnpike; by Andy Kemshall – CTO SecurEnvoy. It’s been 12 months since the security world woke to the horror that RSA Security’s systems had been compromised and – as the company has reluctantly confirmed – its many tens of millions of SecurID hardware tokens would have to be re-issued to clients. Andy Kemshall, CTO of SecurEnvoy, reviews the IT security fiasco and what could have been done.
The sophisticated multi-pronged attack that struck RSA Security last March has resulted in the high profile IT security vendor overhauling the manufacturing and distribution of its SecurID tokens.
For readers who may have overlooked the saga, the attack compromised RSA Security’s network of about 40 million tokens and involved the use of stolen SecurID information to launch an attack on a key RSA Security customer, Lockheed Martin, the US defence contractor in the early spring of last year.
Whilst RSA officials have sought to minimise the fallout from the security faux pas – pointing to the fact that it has staged a free re-issue of SecurID tokens to all its many customers – critics point out that it took the security vendor a week before it started talking to the press, and by implication, its customers about the problem.
It then took RSA until June to reveal the technology that had been compromised by the attack, after which is started the lengthy process of re-issuing tokens to its clients.
That process – though ostensibly free – has actually cost clients using the hardware tokens many millions of dollars, pounds and euros in the staff costs of handling the re-issue, as well as significant other on-costs. As any CFO will confirm, whilst there are direct and indirect costs in any business activity, both categories involve the expenditure of money.
So there we have it – 40 million affected, a late apology and the hidden costs of a fiasco that almost certainly will have cost RSA Security a sizeable number of its customers, some of whom have defected to rival suppliers, and some of whom have made the leap to tokenless and other advanced forms of authentication.
And this revenue loss is before we even begin to talk about the fact that RSA Security has had to spend time and resources explaining what actually happened to its corporate clients – as well as developing new software to harden the company against further attacks and a reported seven-fold increase in the production of its tokens to cater for the replacement programme. Art Coviello, the firm’s executive chairman, has gone on record as saying that his firm obviously went through a hell of a year last year – “we learned from it, and we came out stronger,” he said at the start of this year.
Coviello may be relieved this a sizeable majority of RSA’s customers have stayed with the company, but the reputational damage may come back to haunt him – and his successors – as many clients are locked into the Secured technology because of already-committed technology costs.
But as new security technologies are required, many clients will quietly look elsewhere, looking to the many technology alternatives that are available.
Last October saw RSA president Tom Heiser revealing that the March 2011 attack on his firm’s systems was a two-pronged attack, rather than a single incursion, and involved a mid-hack switch of attack vectors that his IT teams were aware of whilst they were happening.
“These people were persistent. The remote attack was adapted to meet RSA’s internal naming convention”, he told his audience at the RSA Europe in October 2011.
Despite Heiser’s platitudes to his audience, it should be remembered that he was – in the main – speaking before clients who have been supportive of the firm’s products and services – as well as a minority of clients whose companies are locked into RSA’s technology and must therefore learn to live with the odd highly expensive data breach fiasco. It is interesting to note that security researcher Brian Krebs reported last October that the RSA hackers might have hit more than 760 firms.
“Security experts have said that RSA wasn’t the only corporation victimized in the attack, and that dozens of other multinational companies were infiltrated using many of the same tools and Internet infrastructure. But so far, no one has been willing to talk publicly about which other companies may have been hit,” said the former Washington Post IT security journalist.
Krebs went on to say that almost 20 per cent of the top Fortune 100 companies in the US have seen their IT systems compromised, with clients like AT&T and BT standing out from his report.
A year on, and a number of smaller security solution vendors are seeing RSA customers shopping around for alternative solutions rather than depend on the physical token. Here at SecurEnvoy we have seen a huge spike in demand from RSA customers looking for a change, with many now turning to tokenless™ two-factor authentication which uses a mobile phone as the authentication medium.
For many organisations they are already moving over to cloud-based IT platforms – so moving away from traditional 2FA makes sense for them as users remotely access their corporate server environment. Encryption of the data flowing into and out of the cloud is relatively painless and can typically be carried out at low cost, with tokenless 2FA via a mobile phone offering a complimentary and highly portable authentication system, this makes it a far more convenient option than dedicated physical tokens.
With tokenless 2FA security, when the user wishes to access their corporate data or cloud-based remotely, they simply enter their secret PIN/passphrase into the token application running on the smartphone, which then generates a one time passcode that the user enters into the password field on the computer.
By demonstrating that they have these two ‘factors’ – a secret PIN/passphrase and their smartphone – the user is securely identified.
Unlike their physical counterparts, software tokens can also assist in decreasing the total cost of ownership of the security, as they do not require any physical shipping – a crucial cost factor if the hardware token is compromised, and the vendor has to re-issue the token.
And the advantages are not confined to those organisations that have discovered the administrative costs associated with the `free’ re-issue of RSA Security’s SecurID tokens, as tokenless 2FA technology from some vendors does not have the same security vulnerability. Or the supplying vendor suffers a serious security break.
A fundamental flaw with RSA’s approach still means that critical customer security keys (seed records) remain with the manufacture leaving the possibility of this happening again. A far better approach is taken by tokenless vendors such as SecurEnvoy that securely create these keys as required within your own company’s security server. This approach means you are in control of your own security and don’t need to rely on the defences of a third party manufacture.
As we approach the 12 months anniversary of the RSA Security hack, organisations that have been affected by having to re-deploy their `free’ reissued hardware tokens would do well to reflect on the fact that – had they been using tokenless 2FA technology – the costs and timescales involved with issuing new tokens would have been significantly less.
