Reading the letter I see no admission from RSA that its tokens were compromised. Instead, we have an offer to increase certain customers' confidence in the RSA infrastructure which they have already invested in.
Some are seeing this as an admission from RSA that its database linking tokens to users has been breached. However, RSA still has not confirmed what was breached or what information was accessed, therefore we are still in the realm of speculation.
This could also be a marketing ploy to rebuild customer confidence regarding the product. Careful reading of the letter shows that RSA is only offering to "replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks", which does not necessarily mean replacing every single token issued.
To me this lack of clarity and information about what was compromised is the worst part of the RSA breach. Without knowing what exactly was compromised and what impact it has on those using RSA products it is difficult for customers to know how to ensure their systems are safe.
It should be noted that this incident is also a prime example of why companies should take a layered and in depth approach to securing their networks and information assets. Relying on one technology or solution alone will cause you security to fail should that technology or solution itself become compromised, and let us not forget that RSA is not the first security company to have security issues or concerns with their products.
Anyone using RSA tokens should take this as an opportunity to:
1. Conduct a comprehensive risk assessment relating to their remote access infrastructure.
2. Review their remote access policy and ensure only authorized personnel has the appropriate access.
3. Ensure that users are educated and aware of the RSA compromise and to be alert for any suspicious emails or social engineering attempts to get the PIN for their token.
4. Ensure appropriate logging is turned on to detect any suspicious behaviour from remote users or repeated attempts to log in.
5. Ensure remote users have only access to systems they need access to when working remotely.
6. Implement additional authentication mechanisms on secure systems or indeed remove remote access from them until RSA shares some useful information about what was compromised.
7. Ensure that remote users systems are secured with up-to-date anti-virus software and signatures and that their systems are patched with the most up-to-date software.
8. Restrict remote access to known and verified remote locations, e.g. users home networks or remote offices, and/or restrict access to certain times of the day.
Until RSA is more forthcoming with facts as to what was compromised, when it was compromised and the impact that can have on its customers, we will be subjected to ongoing speculation as to the exact impact of the breach, which will result in a continuing erosion of confidence in its products. And a replacement token does not make up for broken trust.
Author: Brian Honan, founder and head of Ireland's CERT and owner of BH Consulting.