Advisory Note: „RSA SecurID – how to act after the hack? “ - 70344

Report Details

As reported extensively in the media, hackers in march of this year successfully attacked the data center of EMC Corp’s RSA security division, obtaining copies of security information for RSA’s SecurID key fob system, a token-based mechanism for creating OTPs (One time passwords) in a two-factor authentication approach used extensively by companies and government agencies around the world.

Now, two large military contractors, Lockheed Martin and L-3 Communications, have reported that they have been victims of security breaches based on data obviously stolen from RSA. A third military contractor, Northrop Grumman, another RSA customer, abruptly closed down remote access to its network and instituted a “domain name and password reset across the entire organization”, according to a press statement.

This considerably ups the ante on RSA and its customers, many of whom rightfully are demanding more information and guidance on how they can protect themselves from what is obviously a highly sophisticated group of attackers. Can we continue to use SecurID, or do we need an alternative, many have been asking, including a number of KuppingerCole clients.

While RSA understandably refuses to discuss details of the attack – after all, hackers read press releases, too - there can be no doubt that the attackers leveraged a known conceptual weakness of RSA SecurID, namely the central storage of so called ‘seeds’ in their own backend. However, bashing RSA won’t help. For customers, the real question is: What can I do to protect my systems and the sensitive information stored there?

Throwing out SecureID and starting anew is not an option for most user organizations. Short term, a number of organizational measures such as adding additional authentication such as use of domain password (if feasible) can reduce the risk of attack without calling for costly replacement of the SecurID tokens is use today. Mid-term, however, customers need to review their authentication strategies with an eye towards moving up to true a versatile authentication approach. The ultimate goal, KuppingerCole believes, is to be able to move back and forth between different authentication mechanisms freely and flexibly without the need to modify the applications themselves.


Date Title Price
Jun 10, 2011

Advisory Note: „RSA SecurID – how to act after the hack? “ - 70344

As reported extensively in the media, hackers in march of this year successfully attacked the data center of EMC Corp’s RSA security division, obtaining copies of security information for RSA’s SecurID key fob system, a token-based mechanism for creating OTPs (One time…

free Get Access

KuppingerCole PLUS

Get access to the whole body of KC PLUS research including Leadership Compass documents for only €800 a year

KuppingerCole Select

Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.

Blog

Blog

We Are Detective: Data Scientists to the Rescue for Cybersecurity and Governance

We Are Detective: Data Scientists to the Rescue for Cybersecurity and Governance

If the line "We are detective" only reminds you of "guilty pleasure" radio songs from the 1980s, despite the fact that you are responsible for cybersecurity or compliance in your company, then you should read on. In any case, you probably should read on because this is a trend that is becoming increasingly important in times of growing uncertainty and loss of trust – in contracts, in companies in the supply chain, in "the Internet", and in nation-states. Trust as the foundation for [...]

Latest Insights

Hot Topics

Spotlight

AI for the Future of Your Business Learn more

AI for the Future of Your Business

AI for the Future of your Business: Effective, Safe, Secure & Ethical Everything we admire, love, need to survive, and that brings us further in creating a better future with a human face is and will be a result of intelligence. Synthesizing and amplifying our human intelligence have therefore the potential of leading us into a new era of prosperity like we have not seen before, if we succeed keeping AI Safe, Secure and Ethical. Since the very beginning of industrialization, and even before, we have been striving at structuring our work in a way that it becomes accessible for [...]

Become a Client

Learn more about becoming a Client

Contact Us

Call Us

+49 211 2370770
Mo - Fr 8:00 - 17:00