RSA risk mitigation

Unless you've been in a coma the past week you're aware that some sort of security breach occurred at RSA and that "... information specifically related to RSA's SecurID two-factor authentication products" was "extracted from RSA's systems."

Unless you've been in a coma the past week you're aware that some sort of security breach occurred at RSA (or, more correctly, "RSA, the security division of EMC") and that "... information specifically related to RSA's SecurID two-factor authentication products" was "extracted from RSA's systems." That's how "Executive Chairman" (where do they get these titles?) Art Coviello put it in a letter to RSA customers.

That's all they said, by the way.

Well, the blogosphere has been abuzz since then. Good reads come from:

Bruce Schneier

Mark Diodati

<aside> Congratulations, Mark, on being named a vice president at Gartner!</aside>

Sacher Paulus

Martin Kuppinger

Network World has, of course, followed the developments closely.

I won't rehash those stories. Although the latest rumor -- that RSA had provided the U.S. government with a "back door" to SecureID in order to secure export permits -- is intriguing.

There are two possibilities that I can see. One is that RSA really doesn't know what went missing and has no idea of the extent of the possible damage. The other is that they know very well what's been stolen but have no idea how to combat the threat. Either way, my thoughts are that anyone using SecureID has to now take two steps.

The second step is to immediately put into place a search for a replacement multi-factor authentication plan. Since RSA won't (or can't) reveal what was stolen, we must consider the worst-case scenario and assume that all SecureID tokens are compromised and suspect. We also must assume that EMC (the non-security division of RSA) has no idea how to counteract the damage.

That's going to take time, however. No sense in rushing to jump out of the skillet into the fire pit. So in the meantime the first step you should take is to strengthen your context-based or risk-based access control policies. Every SecureID access attempt must be considered suspect and treated as such. Don't simply eliminate SecureID from your authentications but do use multiple factors to evaluate the identity of the person attempting the access.

I've been preaching context-based access control for years. If you haven't been listening, or if you listened but minimized your need, I'm sorry. If you did that and also relied on SecureID for your access control then -- there's no easy way to put this -- you could be in deep doo-doo.

Learn more about this topic

Did hackers nab RSA SecurID's secret sauce?

Does RSA SecurID have a US gov't-authorized back door?

Should you stop using RSA SecurID tokens?

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2011 IDG Communications, Inc.

IT Salary Survey 2021: The results are in