RSA announced they have had a breach of their corporate systems and have stated some information regarding SecurID was stolen. There does not seem to be a direct threat as of this posting, but this is an ongoing investigation and RSA is recommending caution. What should you do?
Two things to keep in mind:
- Don’t be an alarmist and don’t panic
- DO focus on what you can do right now
There are many articles right now pontificating on what the breach means, how it was done, what could happen, is this the end of SecurID, are my FOBs safe, etc. Ultimately this doesn’t provide objective information or help you figure out what you need to do or can do right now.
If you’re asking yourself “what should I do?” here are some recommendations for customers and service providers that use SecurID. We may not know what happened yet, but we can look for symptoms of issues and use best-practices.
- Watch your network, especially your SecurID servers, for unusual or different traffic patterns
- Create reports in your SecurID servers to watch for
- failed authentication attempts
- FOB lockouts
- authentication during unusual or off-hours
- Consider changing PIN numbers for FOBs. It may may also be helpful to increase the strength of PIN numbers and passwords
- Protect usernames and Personally Identifiable Information (PII)
- Don’t ship FOBs to customer and employees in a active state.
- Worst-case, consider moving to a different multi-factor authentication solution. Yubico’s Yubikey might be a cost-effective and simple place to start.
- Review with with users
- what to do when they lose a FOB
- risks of phishing and social networking sites
- stronger security now offered with other sites such as Google’s two-factor authentication and HTTPS for Facebook and Twitter
- Review with you NOC and Help Desk
- how to appropriately respond to issues and alerts
- how to escalate security incidents
- Consider adding HIDS like OSSec to your environment
- If you’re a customer of a service provider that uses SecurID to manage your systems
- ask them what they are doing in response to the issue
- follow up and review concerns
- If you’re a service provider, work with your RSA Account Manager, communicate proactively with your customers, and focus on what you can do right now. Securosis has some recommendations as well that you can ask your RSA Account Manager:
- While we don’t need all the details, we do need to know something about the attacker to evaluate our risk. Can you (RSA) reveal more details?
- How is SecurID affected and will you be making mitigations public?
- Are all customers affected or only certain product versions and/or configurations?
- What is the potential vector of attack?
- Will you, after any investigation is complete, release details so the rest of us can learn from your victimization?
This is an effective reminder that in security there are no guarantees and nothing is 100% safe. It’s important to view security as juggling probabilities and be prepared for when the worst happens.