Strong Authentication

UPDATE: The RSA Security Breach, Subsequent Attacks, and the Status of SecurID (Upcoming Webcast June 10th)

By | RSA, Security, Strong Authentication | No Comments

There has been a lot of news this week regarding the RSA breach in March, which has apparently led to an attack on defense contractor’s Lockheed Martin and L-3 Communications. Immediately following the negative press, RSA’s President Art Coviello issued an open letter stating that they have already reached out to “high risk” customers for remediation. For all other customers following best practice guidelines, RSA says they “can be confident in their continued security.”

The attacks appear to be specifically targeted towards defense contractors as a broad scheme to get access to defense secrets and intellectual property. RSA still hasn’t been clear as to what data specifically has been compromised. It’s likely that seed records and the algorithm used to calculate token numbers may have been taken. However, the attackers would still need access to the passwords of particular users who own the token. This tells me there also had to be some malware on end user computers that recorded key strokes and passwords.

[note title=”Webcast June 10th” align=”left” width=”200″] Get up to speed on news from the latest breaches, so you can learn a comprehensive security plan to minimize your company’s risk. Register here. [/note] It looks like RSA will be replacing current tokens and seed records for some customers and will be moving toward soft tokens and more risk-based authentication in the future to limit these types of threats. The strongest benefit is EMC’s ownership of RSA and how seriously they are taking this situation. They have a reputation to repair and  they have the money to ensure that this issue gets fixed. They were already working with Lockheed Martin and it looks like they anticipated some sort of attack. Once they saw the attack taking place, they were able to stop it almost immediately.

In light of this breach, as well as Sony’s major issues, IDS is hosting a webcast with RSA to discuss the current security landscape and recent breaches from RSA, Sony and Epsilon. It is very important to us that you’re aware of how this news in unfolding so that you can do what’s best for your organization to minimize risk. IDS will continue to be your trusted advisor for all things data center and guide you in strengthening your security posture.

While this is bad PR for RSA, it points directly to the reason for our webcast on Friday. SecurID is not (and should not) be an organization’s only line of defense. It is a piece of the puzzle to a full security program, which should include protecting sensitive information while also educating users.

Please sign up for the webcast here.

Photo credit: alvaroprieto via Flickr

A Tale of Two Security Breaches: Sony vs RSA

By | Data Loss Prevention, Log Management, RSA, Security, Strong Authentication | No Comments

In March, when RSA announced that they experienced a network attack which may have compromised their multi factor authentication systems, it was the attack heard around the world. A few weeks later consumers received notices that email marketing firm Epsilon had also suffered a major breach to the customer information from companies like Chase Bank, Walgreens and TiVo. Even more recently, Sony has been in the news due to attackers to their network which has caused them to completely shut down their Playstation network indefinitely.

These high profile cyber attacks have had varying degrees of severity and impact. From their response time, it would seem RSA was alerted quickly and then responded even faster to minimize their public exposure. While on the other hand, Sony is continuing to find new evidence that their system was breached at least two weeks before they had any idea what was going on. Again, while Sony scrambles to figure out what went wrong and where it started, their Playstation network has been offline for a little over two weeks now.

So, what’s the difference?

I see a few pretty clear messages in these two breaches. While I hate to reference it this way, as a security company, RSA “eats its own dog food”, meaning that they use everything they in turn sell. From log consolidation and data loss prevention to governance risk and compliance, they utilize every product they sell within their own data center. RSA also quickly announced the purchase of NetWitness following their attack, a tool which was instrumental in helping RSA find out what was breached as well as it’s severity.

Why wasn’t RSA able to stop this attack?

My answer is this: the primary fault concerning this particular breach lies in social engineering. Employees clicked on a link they shouldn’t have (and should have known better), and, unfortunately, security comes down to the one variable no computer program can control: human error. Basically, we are the weakest link. Despite being hit by one of most advanced threats the security community has ever witnessed, RSA was able to react to the attack as it was taking place. Generally, with attacks of this nature, it takes companies weeks or even months before they realize that an attack has occurred or is occurring.

Looking at Sony, we see a different story. More than two weeks have passed following discovery of their attack, and they are still uncovering information. They’ve engaged multiple security firms to help them sift through the data, but what is most astonishing is that they have only now realized that they need to hire a Chief Information Security Officer to be in charge of their security infrastructure (That’s right folks, Sony had no one focused on managing and mitigating their information risk). The last thing you want be called in the security industry is reactive.

Now Sony is in the process of implementing defense in depth and doing things they should have been doing all along, like implementing more firewalls, intrusion prevention systems and automated patch management. Sony is big enough that most customers and the general public will have forgotten about this in 6-8 months and they’ll be one of the most secure companies in the world.

But, what about your company?

How much exposure and risk can your company endure? When your customers read the paper or hear on the news that YOU lost their information, will they continue to be loyal? Will they forget in 6-8 months and continue to do business with you? Do you want to take the chance of finding out? If none of the above scenarios appeal to you, then take note of Sony’s reactive response and implement security practices BEFORE a breach—not in reaction to one.

RSA Hacked: Should the Security Breach Have Customers Concerned?

By | EMC, RSA, Security, Strong Authentication | No Comments

Last week, RSA experienced an attack that has breached their system. Information about their multi-factor authentication products (SecurID, Authentication Manager) have been compromised.

There’s not much information right now but this attack seems to be geared toward stealing intellectual property and does not affect any current or potential RSA customers. An open letter to customers went out last Thursday and Friday from RSA regarding the breach.

Being in the IT security industry as long as I have, I know that breaches like this happen to numerous companies more times than the public is ever made aware of. So, despite RSA being a security company, they are certainly not immune. It would be nice if they shared more information with the public about the current situation, but they’re walking a fine line sharing their security information because they don’t want to divulge anything that will benefit the attacker or future attackers.

We have no evidence that customer security related to other RSA products has been similarly impacted. We are also confident that no other EMC products were impacted by this attack. It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.

RSA Executive Chairman Art Coviello stands by his above statement that customer information is not at risk, and I agree. It will take a considerable amount of work to reverse engineer RSA’s authentication infrastructure. There is an algorithm that generates token codes, token serial numbers, token records, customer created pass codes and revolving keys. One single part can’t be used to gain significant information about any other part. I don’t think we’ll see cloned tokens floating around being used to log into people’s accounts. There are too many variables. Even if this happens, RSA would just reissue new tokens and seed records to resolve the issue.

In their letter to customers, RSA provides some recommendations to help customers strengthen their security.

Overall Recommendations from RSA:

RSA strongly urges customers to review all documents referenced in this note. Based on customer requests for prioritization of remediation, below are the most important remediation steps being recommended to customers:

  • Secure your Authentication Manager database and ensure strong policy and security regarding any exported data (see Best Practices Guides for specific instructions).
  • Review recent Authentication Manager logs for unusually high rates of failed authentications and/or next token code events, both of which could indicate suspicious activity (see Authentication Manager 6.x and 7.x Log Guidelines and Best Practices Guides for specific instructions).
  • Educate your help desk and end users on best practices for avoiding social engineering attacks such as targeted phishing (see Best Practices Guides for specific instructions).
  • Establish strong PIN and lockout policies for all users (see Best Practices Guides for specific instructions).

Additional Information:

The Best Practice Guidelines are available from: RSA SecurCare Online (SCOL).

Letter from Art Coviello:

Wired Article:

Photo Credit: Don Hankins

Multifactor Authentication: Providing the “Strong” Protection Passwords Don’t

By | Security, Strong Authentication | No Comments

A few weeks ago, I was reading through some discussions posted on LinkedIn. One that caught my eye was, “How long should my password be?”

My first thought was, “Are people still talking about password lengths?”

Passwords are intended to authorize users to access only what they need access to. We’ve had questions about passwords and their effectiveness since we first began using them. Everyone in the security industry has an opinion. Many of the answers that you hear are different.

Most systems require at least 6 or 8 characters and people say this length is enough as long as you’re also incorporating alphanumeric with special characters. You’ll also hear that passwords just have to be 10 or more characters long regardless of the use of special characters and alphanumeric in order to be effective.

I’m going to take a stand and end all discussion by saying passwords are nearly useless.

Anyone with clear intent to get to your data can do so in a short period of time regardless of your password. With the current hardware processing power these days, it is trivial to “crack” passwords in a short amount of time. It becomes even easier with technology such as Rainbow Tables (I’ll leave you to do your own Google searching if you’re not familiar with this). Finally, all of this becomes moot if the attacker has physical access to the machine and/or admin control via a malicious exploit and gets a hold of the password hash on the system. What’s even easier is installing a key logger to capture all the keystrokes on the machine. GAME OVER!

I’m reminded of a study that took place a few years ago that discovered that people were willing to give away their passwords in exchange for a piece of chocolate. It was never verified that the passwords given were accurate but people have freely given me their password (without being asked) in exchange for nothing at all. Ultimately, it comes down to the weakest link, which is always the end user.

Okay, so now that I’ve destroyed any amount of hope you’ve had in your passwords, there’s no need to go cry in the corner. There is a more effective way to protect your assets with proper authentication. I’m a fan of multifactor authentication (a.k.a. “strong” authentication).

[note width=”250″ title=”Note” align=”right”] RSA recently announced their new platform, Authentication Manager Express, which provides strong authentication without the use of tokens, making it a more cost effective solution for SMBs.

Vaughn’s blog: “RSA Authentication Manager Express: Bringing Strong Authentication to SMBs (w/o the tokens)” [/note] Like using a ATM, mutilifactor authentication combines something you physically have with something that you know. One without the other is virtually useless.

Probably the most well known form of multifactor authentication is RSA tokens. Your password is replaced with a PIN (something you know) combined with a random number generated on a key fob (something you have). If you lose the key fob, it’s not too much to worry about because anyone who retrieves it will need to know your username and your PIN in order to gain access. This also protects against key loggers because part of your password will be a different random number each time you use it.

As always, when talking about security, layers are necessary. There is no such thing as being totally “secure”. Multifactor authentication is a great piece of the puzzle, but we still need to take other measures against malicious code (e.g. viruses, key loggers, root kits, etc.). All systems need to be hardened to protect against various types of penetration. That’s why we still need firewalls, intrusion prevention systems and the like.

[Photo credit to Mike Gdovin via Flickr]

RSA Authentication Manager Express: Bringing Strong Authentication to SMBs (w/o the Tokens)

By | RSA, Security, Strong Authentication | No Comments

RSA has recently introduced a new platform for strong authentication, Authentication Manager Express. It’s getting a lot of much deserved press for being the first to market multifactor authentication perfect for small to medium-sized businesses.

In fact, in an article in the MidMarket section of covering the release, our very own Justin Mescher was interviewed to provide his commentary:

Justin Mescher, CTO of Integrated Data Storage, said RSA’s product is cost-competitive, implements seamlessly into almost any IT environment and is designed to be one of the easiest ways to add another layer of security to resources that require user remote access. “Coupled with an expanded set of RSA SecurWorld reseller training resources and benefits, we expect Authentication Manager Express will help us drive new interest among midmarket customers that were previously hesitant to consider strong authentication solutions priced and designed for larger enterprises,” he said.

To reiterate Justin’s point, the reason why this system is so appealing is because it removes the barrier to entry for SMBs to implement strong authentication. Up to this point, many organization have felt that it’s cost prohibitive to purchase and maintain hardware tokens for their users. Authentication Manager Express uses both risked-based authentication and on-demand authentication without the need for tokens, leveraging their current active directory structure.

The system is designed to work with SSL VPNs and Web Portals to provide protection against unauthorized access. Users continue to use their user names and passwords, while the intelligent risk engine detects abnormal behavior. If the user generally logs into the the SSL VPN from a particular workstation in Chicago, IL and is later seen trying to authenticate from a workstation in France, the system will prompt the user with a challenge question to verify their identity. The user could also be prompted for an on-demand token code that’s delivered to their mobile phone via SMS or email before they’re allowed access to the system.

I had the priviledge of being one of the few users to beta test this appliance in my lab over the past few months and I’m excited to begin talking about how organizations will be able to leverage the system. I’ve got a number of customers that have been asking for a cost effective way to implement strong authentication and RSA has finally made this possible. Building on Authentication Manager and the well known SecurID, Authentication Manger Express will help meet the needs of customers who want to use multifactor authentication and also require a system that is managable and convenient for their users.

[Photo credit to Jeff Tabaco via Flickr]