Well there’s plenty of RSA in the news at the moment and this is – unashamedly – one more. But with a little twist. Whilst only time will tell us the details of the breach, we take a look below at not only authentication but some of the wider issues the RSA breach highlights.
What is this beast?
Our guess – SecurID client information has been compromised, possibly along with information about token serial numbers, seed records, and details of which client is associated with each token.
Why do we suspect this?
The overall recommendations, whilst relatively general best practice type suggestions, focus on both social engineering and least privilege. That, combined with the statement, “… we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers” and that RSA are not expecting sign ificant financial impact are pointing us toward this guess. That is, there is a “weakness” exposed by the breach, but the attacker will need some level of privilege to exploit this.
What three BIG questions does it raise?
With the (justifiable) focus on the authentication system itself, perhaps the biggest question that underlies all of this is, “how can we protect the organisation’s intellectual property”? That is, improving the visibility into and security of critical structured and unstructured data.
This is the data that enables organisations to generate revenue and/or provide an effective, reliable service (in particular for NFP, government etc). The subset of this is ‘how can we protect our clients’ intellectual property’, and if this data is compromised are there implications for our clients, and their trust in our organisation? RSA is not alone in being breached – think WikiLeaks. Nor will they be the last.
The second big question that is simmering beneath the surface is that of user privilege. Consider the following which are recommendations from RSA’s SEC breach notification:
• “We recommend customers follow the rule of least privilege when assigning roles and responsibilities to security administrators”, and
• “We recommend customers watch closely for changes in user privilege levels and access rights”
So the questions we take out of this is “how can we best enforce and monitor the privileges of administrators and other users within the organisation”?
Like most things, there are several elements to achieving this, but we’d suggest that a SIEM tool and an effective way of managing and securing user privilege are a solid foundation. (And a biased 'plug' here - take a look at the BeyondTrust range if you're interested in the latter).
The third big question is around authentication. Specifically “what is the most suitable and cost-effective method to deploy strong user authentication where it’s needed”? At the very least the SecurID breach should prompt organisations to re-examine this question. Token-based authentication has been around in an almost identical format for around 20 years now. For many organisations we speak to it is easier to just leave what’s already there than to review this basic question.
A key consideration here is the ‘where it’s needed’ part. For example at a hospital it may be to identify clinicians at shared PCs and to authorise the dispensing of drugs, whilst for a financial institution it may be more appropriate for administrative access to internal systems and remote access for selected users.
Suitability is also reliant on a range of factors that will differ in importance depending on the organisation. Some of these include:
• Time, effort and logistics involved in authenticator deployment
• Failure and replacement rates for lost, stolen, broken and expired authenticators
• Whether token records or encryption keys are trusted to and stored by the vendor
• User acceptance of the authentication method and authenticator
• Ongoing costs / return on investment of the authentication system
You will likely also have your own suitability criteria as well. But only by having worked through this process can we then understand what actually is most suitable and cost-effective. And whether or not you're using SecurID, now is a perfect time to do exactly that.
That's all from us for now. As always your feedback is welcome and appreciated!
The CoreSight Team
(this article was originally sent via the CoreSight News email - if you'd like to subscribe simply complete this form)
Share this...
- New VASCO Digipass Plug-In for Internet Authentication Servi...
Internet Authentication Service (IAS) is the Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server and is included in the... - VASCO Unveils Business Strategy 2007...
On January 31, 2007 VASCO Data Security, the world’s number one provider of strong authentication and e-signature products and services, unveiled its busi... - SecurAccess Tokenless Authentication Review...
Unique, Simple, Affordable - 5 Stars SecurEnvoy is pioneering the authentication space to meet the growing security needs of modern businesses. No tokens, n... - Passwords a Major Executive Concern...
A recent DigitalPersona study has found that the sharing of passwords within organizations is becoming a growing concern among IT and security executives.... - VASCO Strong Authentication...
If you're looking for affordable, effective user authentication you can't go past VASCO - their "Identity Authentication" products for e-business and ...
