BlueFort Security Ltd -

RSA Security, the Security Division of EMC, are addressing the issues caused by the recent data breach to their systems, which may impact the SecurID solution.  In the interim, here is our advice.

There has been much scaremongering in the press and opportunistic comment from various sources, particularly from vendors with competing technologies. Many of these do not understand fully the issues involved.

Whilst the data breach is far from trivial, it should not be taken out of context. For an unbiased view from independent analyst Gartner, see here.

There are many pieces of information that a potential attacker would need to make use of any compromised information. The vast majority of these could not have been compromised since they are held only by individual users and the customers own SecurID system itself and should never be disclosed to any third party. On balance therefore the likelihood of any real-world attack using compromised information is remote.

In the meantime, BlueFort recommends there are certain steps that should be taken immediately to reduce any impact. These are all part of standard best practice affecting any authentication or security system but recent events have reinforced the need to carry them out regularly.

Users

It is important to know which users have access to particular platforms and applications and to understand what their authentication process is. Access to systems should be limited to users with a genuine need to have it.

Administrative access to key system components and management platforms should also be restricted to the minimum number of people that need access. All administrative actions to systems, servers and components should be routinely logged and audited.

Processes and procedures should validated to ensure that they are in accordance with good industry practice.

Users should be reminded never to give out PIN, Password or any identifying information such as username or token serial number information. Users should be educated to treat this information with the same level of confidentiality as they would with any of their personal credit cards or banking information.

Armed with this knowledge, organisations can prioritise any remedial action needed, particularly around user accounts and disabling old or dormant accounts and policies around PIN numbers.

System Configuration

We recommend that organisations carry out a review to ensure that their system is configured optimally and that any weaknesses are addressed. Often tightened security options are not always reviewed as the usage of systems evolves over time.  Best practices also change over time as experience, new versions of software and new features and functions are deployed. These should be regularly reviewed as with any security product.

Defence in Depth

It is widely accepted that SecurID, as with any other two factor product, is only one part of an overall authentication and access control solution. Most systems have additional verification mechanisms in place such as Active Directory credentials and these should also be reviewed to be in line with best practice. Logging and auditing facilities should be part of any security system so that potential issues can quickly be identified and remediated.

Further Information

We urge all affected SecurID customers to sign up to the SecurCare alerts from RSA to get the up-to-date information. In addition, RSA current recommended Best Practice documents and advice can be found on the SecurCare website.

For assistance and advice in assessing systems for compliance with best practice, please contact us.