Saturday, April 9, 2011

RSA SecurID Attack: FAQ posted by the Company

RSA posted the following FAQ on their web site regarding the attack and actions that must be taken by their customers. Although the FAQ is very helpful for RSA's customers, no more information was disclosed on what was extracted.

Following is the FAQ, the original version can be downloaded here.

 Overview
1. What happened?
recently, our security systems identified an extremely sophisticated cyber attack in progress, targeting our rsa business unit. we took a variety of aggressive measures against the threat to protect our customers and our business including further hardening our it infrastructure and working closely with appropriate authorities. 
2. What information was lost?
our investigation to date has revealed that the attack resulted in certain information being extracted from rsa’s systems. some of that information is related to rsa securid authentication products.  
3. Why can’t you provide more details about the information that was extracted
related to RSA SecurID technology?
our customers’ security is our number one priority. we continue to provide our customers  with all the information they need to assess their risk and ensure they are protected.  Providing additional specific information about the nature of the attack on rsa or about  certain elements of rsa securid design could enable others to try to compromise our customers’ rsa securid implementations.  
4. Does this event weaken my RSA SecurID solution against attacks?
rsa securid technology continues to be an effective authentication solution. to the best  of our knowledge, whoever attacked rsa has certain information related to the rsa securid solution, but not enough to complete a successful attack without obtaining additional information that is only held by our customers.  we have provided best practices so customers can strengthen the protection of the rsa securid information they hold. rsa securid technology is as effective as it was before against other attacks.  
5. What constitutes a direct attack on an RSA SecurID customer?
to compromise any rsa securid deployment, an attacker needs to possess multiple pieces of information about the token, the customer, the individual users and their Pins. some of this information is never held by rsa and is controlled only by the customer. in order to mount a successful direct attack, someone would need to have possession of all this information. 
6. What constitutes a broader attack on an RSA SecurID customer?
to compromise any rsa securid deployment, the attacker needs to possess multiple pieces of information about the token, the customer, the individual users and their Pins. some of this information is never held by rsa and is controlled only by the customer. in order to mount a successful direct attack, someone would need to have possession of all this information.
The broader attack we referenced most likely would be an indirect attack on a customer that uses a combination of technical and social engineering techniques to attempt to compromise all pieces of information about the token, the customer, the individual users and their Pins. social engineering attacks typically target customers’ end users and help desks. technical attacks typically target customers’ back end servers, networks and end user machines. our prioritized remediation steps in the rsa securid best Practices Guides are focused on strengthening your security against these potential broader attacks.  
7. Have my SecurID token records been taken?
For the security of our customers, we are not releasing any additional information about what was taken. it is more important to understand all the critical components of the rsa securid solution.
to compromise any rsa securid deployment, the attacker needs to possess multiple pieces of information about the token, the customer, the individual users and their Pins. some of this information is never held by rsa and is controlled only by the customer. in order to mount a successful attack, someone would need to have possession of all this information.  
8. Has RSA stopped manufacturing and/or distributing RSA SecurID tokens or other products?
as part of our standard operating procedures, while we further harden our environment  some operations are interrupted.  we expect to resume distribution soon and will share information on this when available. 
9. Are any other RSA or EMC products affected?
we have no evidence that customer security related to other rsa products has been similarly impacted by this attack. we also are confident that no other eMc products were impacted by this attack. it is important to note that we do not believe that either customer or employee personally identifiable information has been compromised.  
10. What new information are you disclosing in this note, and why are you issuing it now?
we are not disclosing new information related to the incident. customers have asked us to provide more specific best practices and also help them prioritize the remediation steps. they also asked us to clarify some of the terms we used in the original communication.  we are responding to these requests. 
Immediate Guidance For rsa securid Customers
11. What are the top four steps I should take to protect my system?
rsa strongly recommends that each customer review the rsa securid security best Practices available on securcare online and take immediate action to address nonconforming areas in your deployment. specific areas of focus include the following: 
– secure your authentication Manager database and ensure strong policy and security regarding any exported data. (For more information see the Protecting sensitive data and Protecting the authentication Manager environment section in the rsa authentication Manager security best Practices Guide.)
– review recent authentication Manager logs for unusually high rates of failed authentications and/or next token. (For more information see the authentication Manager log Monitoring Guidelines.) 
– educate your help desk and end users on best practices for avoiding social engineering
attacks such as targeted phishing. (For more information see the Preventing social
engineering attacks section in the rsa authentication Manager security best Practices
Guide.) 
– establish strong Pin and lockout policies for all users. (For more information, see the Pin
Management section in the rsa authentication Manager security best Practices Guide.) we have also included three other security best practice guides for customers who are interested in taking additional measures to further secure their rsa securid implementations. 
12. How do I secure my Authentication Manager Database and exported data?
to protect the data stored in your authentication Manager database:
a. do not store any copies of data extracted from authentication Manager online. you should keep an encrypted secure copy offline.
b. remote access to authentication Manager hosts should be reviewed and limited.
c. Physically control access to your authentication Manager servers within your datacenter
environment.
d. use firewalls to isolate your authentication Manager network. 
For more information see the Protecting sensitive data and Protecting the authentication
Manager environment sections in the rsa authentication Manager security best Practices
Guide 

No comments:

Post a Comment