RSA Security’s security problems, as evidenced by recent intrusions into defense contractor networks, are causing more than a few organizations to not only re-evaluate their commitment to SecurID authentication, but also to re-evaluate the role of authentication in their security programs. I have already heard of large companies that have embarked on a multi-year program to transition from premium-priced SecurID to cheaper alternatives.
RSA desperately needs to disclose more information about the nature of the breach, and what actions RSA customers should be taking to protect themselves. In the absence of information, security organizations should assume the worst – that their business is next in line for a breach – and should be prepared to detect and act upon an intrusion.
If you are a SecurID customer there are a few things that you may consider to help keep your business secure:
Add the device as part of the “something you have” authentication factor. Users would need SecurID from an approved device to gain access to applications and the network. This can be done either directly with PKI keys on the chip (e.g. Wave Systems using the TPM in Intel machines) or by evaluating the device (e.g. iovation assessing the machine fingerprint). Only a few users will ever need to access resources from unauthorized computers, so narrow this exposure by also authenticating the device.
Heighten efforts to detect APTs and intrusions. It is actually easier to avoid getting caught by launching a spear-phishing attack, penetrating corporate defenses with malware, and letting the APT deliver secrets than it is impersonating a user and bumbling around a network like Diogenes looking for secrets. Step up automated efforts to catch configuration drifts out of compliance and non-compliant network traffic – signs that you may be under attack.
With increased diligence, you can verify your trust in SecurID.