March 21, 2011, 12:16 PM — With the theft of sensitive data about RSA's SecurID technology, large businesses should reassess the risks to the assets the two-factor authentication deployment is supposed to protect, a risk management expert advises.
"You have to ask yourself if you are a big enough shop that you could be a target," says John Pironti, president of IP Architects, a security consulting firm. That's because attackers who might make use of the stolen information will look for victims that have the richest cache of data to loot, he says.
GET THE DETAILS: The RSA Hack FAQ
Whereas before the theft businesses might have had a high degree of confidence that SecurID was a strong authentication protection, now they should consider that it might be compromised, Pironti says.
RSA hasn't detailed what was stolen, but the fact that the company made a public announcement -- including a filing with the Security and Exchange Commission -- indicates that some fundamental piece of the technology has fallen into attackers' hands, he says, and businesses need to take specific steps:
1. Update their threat and vulnerability analysis to elevate SecurID as a potential vulnerability. Many businesses regarded the technology as solid and not representing a significant source of vulnerability, Pironti says.
2. Pore over logs looking for failed login attempts using false user names.
3. Monitor failed SecurID attempts, something that might not have been done because the technology was trusted. In general, security personnel should pay more attention to the activities of employees using SecurID.
4. Consider alternatives to go to if it turns out SecurID has in fact been compromised. In that case businesses should start looking for a third factor for authentication such as smartcards, biometrics or digital certificates and perhaps consider migrating away from SecurID, he says.
Worst case: Thieves stole the master key to RSA's pseudo-random number generator and can manufacture phony ones to break into corporate networks, Pironti says.
So far there's no evidence that has happened, but if it does, businesses need to have a fallback plan for what they will do, Pironti says. "The system would still require a user name and password, but now you have reduced confidence that this is the person who they say it is," he says.