As most of you who read this blog will know by now RSA suffered a significant security breach on their network back in March. Since then there have been a number of other security breaches, most notably against Lockheed Martin, which have implicated the RSA security breach in some way. However, despite a lot of speculation in the media, on Twitter and on various blogs, we still do not know what exactly was compromised in the security breach against RSA.

Some have speculated that the seeds for the RSA SecurID tokens have been compromised meaning that attackers could copy the tokens of legitimate users, others speculate the breach exposed key intellectual property for the company, while others have put forward that the attackers may have gained access to undocumented vulnerabilities in RSA’s products. Compounding the speculation has been the recent announcement by RSA that they will “replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks”.

RSA has given more details of the attack to some of its clients under strict Non-Disclosure Agreements. However, while those customers are in a better position to make an informed risk analysis of their use of the tokens it leaves the rest of us in a much weaker situation.  I came across this post on the Light Point Security blog which highlights recommendations given by the US National Security Agency (NSA) which has a lot of good recommendations in them;

• The first advisory, Information Assurance Alert No. IAR-001-2011: Mitigations for the RSA Cyber Intrusion, was released after the initial breach.
• The second advisory, Information Assurance Advisory No. IAA-003-2011: Recommended Actions for SecurID Users in Response to RSA Cyber Intrusion, was released subsequent to the replacement anouncement by RSA.

I have also been made aware that the Defence Signals Directorate, the agency responsible for setting security policies for the Australian government, has recommended Australian government agencies to take RSA up on their offer and to replace their tokens. Other organisations in Australia such as Westpac, ANZ Bank and the Australian Taxation Office had already replaced their tokens before the Defence Signals Directorate made the announcement.

So where does that leave you?

We should remember that this is not the first security issue or compromise that has happened at a security company and it won’t be the last. This attack highlights that your incident response plan should include covering external incidents impacting on your providers, whether they provide security products or not.  It also highlights that when designing your information security management system you should identify the risks not only to your information but also the tools that you use to protect that information.

In a piece I wrote for Help-Net Security called “Can RSA Repair the Broken Trust?” I highlight a number of steps that you should consider taking to enhance the security around your use of SecurID tokens.

Take a look at those recommendations, read the documents from the NSA, contact your EMC/RSA representative to discuss the breach and then make a risk assessment as to whether you continue to employ the RSA tokens or to replace them.