Today, 2011 Jun 07, RSA admitted that a hacker was able to break into a Lockheed Martin computer system because of a data breach at RSA. This is a huge problem for RSA, since their business model is pretty much defined by preventing exactly this situation. But what is the impact for normal users of RSA tokens? Is your data at risk?
Ever since the first computers left the laboratory, there has been a need to determine who should have access to what. Historically, the answer has been a username/password combination. That worked pretty well when people were accessing mainframes from dumb terminals hardwired to their desks. Then, most of computer security was the physical security of the office. However, as computers have gotten faster, smaller, and more connected, that simple level of security has not always kept up to the task.
The first problem with passwords in an interconnected world is that you don’t own the wires between the user and the server. In a wireless world, you can’t even theoretically know who’s listening in. That means that every important piece of communication needs to be encrypted. Is your logon page sent via SSL/TLS? Do you have WPA turned on for all wireless devices?
Another problem faced by companies with remote access capability is brute force attacks. There are only so many passwords a human can type in a minute, but automated password crackers can try millions a second. Not only does that mean weak passwords are easily compromised, it ties up your equipment validating and rejecting all the wrong guesses. The most common defenses against brute force attacks are to rate limit password attempts and keep an eye on security logs. One common way of automatically tying the two together is log monitoring/banning software such as fail2ban. Do your system administrators know what to look for in the logs to catch hackers? Do they have time to sort through all the logs every day? Do you have automatic locking/unlocking of accounts, IP addresses, etc.? What is your password strength policy, and is it good enough?
Even when communication is properly secured and strong passwords enforced, if hackers can install malware on your computer, they can steal your password. Are all of the devices used to connect to your network protected from malware? Do your users know how to spot and defeat a phishing attack? (Some studies show 90% of users don’t.) This is the kind of attack two-factor authentication such as RSA SecureID is designed to address. Even if a hacker somehow steals your username and password, they can’t log in without the value generated by the RSA key. As long as the seed value is known only to RSA and the server, it should be nearly impossible for a hacker to guess the next value. Those seeds are what were stolen from RSA in March, allowing a hacker to compromise the account of a Lockheed Martin employee who fell for a phishing attack.
Where does this leave you? Are you secure? If you use RSA SecureID keys, have they lost all value, or are they only vulnerable to what RSA is calling an Advanced Persistent Threat (APT)? While this hack has serious ramifications, and does significantly compromise the security of companies that have implemented SecureID, it does not obliterate a well designed security system, which should be implemented as “security in depth”, where a single failure does not cause a catastrophic breach. As a general guideline, we recommend that:
- All authentication sessions are encrypted.
- Authentication rate limiting is in place.
- Authentication logs are reviewed daily.
- Automatic locking/unlocking is implemented.
- Strong passwords are used.
- Up-to-date antivirus is used.
- Anti-phishing training is employed.
Have you done enough? If you aren’t sure, or if you need help improving your security, call our team of seasoned security professionals. We have worked on many Top Secret (and above) government and private projects, and can help you devise and implement a coherent, integrated security framework.