Skip Links

The RSA Hack FAQ

RSA hack: What happened, when, what should you do about it

By , Network World
March 18, 2011 02:14 PM ET

Network World - In the aftermath of RSA saying that its SecurID two-factor authentication tokens may have been compromised in a data breach of the company's network, here are some key questions and answers about the situation.

The answers in quotations come from a public letter signed by RSA's Executive Chairman Art Coviello.

What happened?

RSA's corporate network suffered what RSA describes as a successful advanced persistent threat attack, and "certain information" was stolen that can somehow affect the security of SecurID authentication.

MORE ON SECURITY: 20 hot IT security issues

What does that mean?

RSA clarifies by saying what the stolen information does not enable. "[T]he information extracted does not enable a successful direct attack on any of our RSA SecurID customers."

Then why is RSA making a big deal out of it, and what good is the information to the people who stole it?

Without knowing exactly what information was taken it's hard to say, but given the apparent sensitivity of the stolen materials and the widespread use of SecurID to protect the most sensitive corporate data, the thieves can probably cash it in somehow.

Here's what RSA says: "[T]his information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations."

What are those steps?

RSA recommends nine steps, which amount to following pretty basic security principles:

1. Focus on use of social media applications by anyone with access to corporate networks.

2. Enforce strong passwords and PINs.

3. Follow the rule of least privilege when assigning access rights to security administrators.

4. Tell users to avoid suspicious e-mails and not to give out user names and other credentials when they are solicited by e-mail or phone call. They should report such attempts.

5. Implement two-factor authentication to directories and use SIEM products to keep an eye on directory activity.

6. Closely watch changes in user access privileges and require more manual approvals to increase them.

7. Tighten all security surrounding critical security software.

8. Review help desk procedures with an eye toward blocking social engineering attacks.

9. Update operating systems and security products' software.

What's RSA going to do about it directly?

It says it will help strengthen customers' security: "We are committed to applying all necessary resources to give our SecurID customers the tools, processes and support they require to strengthen the security of their IT systems in the face of this incident. Our full support will include a range of RSA and EMC internal resources as well as close engagement with our partner ecosystems and our customers' relevant partners."

How did the hackers get in?

RSA is describing the attack as an advanced persistent threat, but isn't detailing what happened.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News