March 21, 2011, 11:37 AM — RSA is scrambling to reaffirm that the strength of its SecurID technology is not diminished.
There's no clear indication yet of whether RSA will or will not be forced to make changes to SecurID as a result of what RSA Executive Chairman Art Coviello said is "an extremely sophisticated cyber attack in progress being mounted against RSA" where information was stolen "and that some of that information is specifically related to RSA's SecurID two-factor authentication products." SecureID is used to protect sensitive corporate data.
MORE ON THE RSA HACK: RSA SecurID breach: What should you do?
But there's already speculation that attackers gained some information about the "secret sauce" for RSA SecurID and its one-time password authentication mechanism, which could be tied to the serial numbers on tokens, says Phil Cox, principal consultant at Boston-based SystemExperts. RSA is emphasizing that customers make sure that anyone in their organizations using SecurID be careful in ensuring they don't give out serial numbers on secured tokens. RSA executives are busy today conducting mass briefings via dial-in for customers, says Cox.
RSA has yet not responded directly to inquiries. But all of the hubbub makes security experts wonder whether a security fix for SecurID may be coming because of the discovery of the breach at RSA. Jon Gossels, president of SystemExperts, is inclined to think that may well happen; Cox, not so much. But Cox acknowledges that a massive change for tokens and the RSA authentication server would be no trivial matter for customers to undertake.
With little more to go on than that right now, the question is whether customers are likely to feel a loss of confidence in using SecurID, the two-factor authentication system. Or to not have confidence in RSA the company.
"Until RSA gives out more information, enterprises should certainly hold up any planned SecurID procurements. With existing use, pay more attention to access logs until more information comes out," says Gartner analyst John Pescatore.
Pescatore notes that just saying, as RSA did, that the breach relates to an "advanced persistent threat" "is "just trying to deflect attention from RSA's failure to protect their systems. Most large enterprises, and certainly all major security companies with any threat experience, have been dealing with targeted threats for several years."
Should customers give up using their SecurID tokens now?
Cox himself answers with a definite "no," saying he himself uses SecurID.