Event

On 3 June 2011, RSA, the Security Division of EMC, confirmed that Lockheed Martin had proof that hackers attacked its network partly by using data stolen in a March 2011 attack on RSA.

On 6 June 2011, RSA announced a program to replace customers' RSA SecurID one-time password (OTP) authentication product tokens. (For details, see http://www.rsa.com/node.aspx?id=3891 .)

Analysis

After the March 2011 security incident (see "RSA SecurID Compromise Is of Concern, but Likely Not a Fatal Flaw" ), RSA announced that information about RSA SecurID tokens had been exposed and that an attacker could use that information as part of an attack against SecurID customers. RSA also published guidance for minimizing the risks of such attacks. Gartner understands that RSA replaced SecurID tokens for a smaller number of customers, although RSA did not provide details about these replacements. RSA has now disclosed that it knew that the attack was defense/nation-state motivated; consequently, RSA focused on its military and government customers and replaced tokens for some of these customers.

To attempt to mitigate risks and restore customer confidence, RSA is now offering replacement SecurID tokens to all of its customers, with an early focus on enterprises and industry verticals most likely to be at risk. The token replacement program is expected to take, at minimum, three months, but could last much longer, depending on how many customers choose that additional remediation option. Customers that have received SecurID tokens since 23 March 2011 are not at risk.

Although enterprises will not pay incremental costs for replacement SecurID tokens, they will still face administrative overhead and logistical costs, which could exceed the token list price. This option should be compared with switching to another authentication vendor or method. Enterprises that are able to implement alternative remediation mechanisms may be able to do this more cheaply than implementing replacement tokens. Financial services and other consumer-focused enterprises have the option of augmenting existing SecurID tokens with RSA's Web fraud detection tools, which RSA says it will make available as an option in its remediation program.

Gartner advises taking a conservative approach, as we still don't have enough information about the hackers' identity, motivation and intentions. Other vertical industries are not clearly threatened at this time, but the risk of compromise remains and could spread further; for example, if the original attacker sells the information it acquired. All customers should be wary about how the RSA attack could affect them and their own customers. Enterprises that cannot be absolutely certain that they can apply high levels of fraud detection and best practices recommended by RSA should implement replacement SecurID tokens or consider another vendor's offering.

All authentication methods can be compromised and should never be the sole means of protection for enterprise assets. Cyberthieves have circumvented strong authentication communicated through user browsers to raid bank accounts and other enterprise assets. Gartner has long recommended a layered fraud prevention approach to ensure adequate defenses (see "The Five Layers of Fraud Prevention and Using them to Beat Malware" ).

Prospective SecurID customers: 

• Consider RSA as a viable option, among others, as new SecurID tokens are not impacted by the attack on RSA.

Current SecurID customers:

• Continue to follow RSA's guidance for managing and monitoring SecurID use, now and if and when you receive replacement SecurID tokens. In particular, ensure you properly safeguard the token records containing the token seed values (secret keys).
• Implement enhanced security monitoring and fraud detection technologies.
• Use robust endpoint protection software to protect against spyware and malware-based session hijacking attacks.

Defense industry customers:

• Implement your replacement SecurID tokens. Your industry has been targeted and customers won't trust you if you don't. Budget for the administrative overhead and logistical costs.

Financial services customers and others relying on SecurID for external user authentication:

• Follow a multilayered fraud prevention approach.
• Consider the need to replace SecurID tokens as part of a broader strategy, but don't overlook the impact on customer confidence if you don't replace tokens. Strongly consider introducing to your customers alternative devices and methods that support authentication and transaction verification.
• Resist the tendency to remain with RSA because it is the incumbent vendor. Evaluate its products side-by-side with competing products that offer fraud detection and adaptive authentication capabilities.

Some documents may not be available as part of your current Gartner subscription.

• "Where Strong Authentication Fails and What You Can Do About It" — A layered fraud prevention approach can help beat man-in-the-browser attacks by fraudsters.  By Avivah Litan
• "Choosing a Replacement for Incumbent One-Time Password Tokens" — Enterprises seeking replacements for incumbent OTP hardware tokens must understand their needs clearly, the suitability of alternative authentication methods, and the costs of and opportunities for switching vendors. By Ant Allan