It took nearly three months and a major security incident at
one of the nation’s most critical defense contractors to spur it on, but on
Monday RSA, The Security Division of EMC, finally let the cat out of the bag
about the severity of a March security breach against its SecurID
authentication token infrastructure. The
prognosis is bad, with RSA reporting that it will replace the tokens of nearly
all 40 million users scattered across its customer base.
"We remain highly confident in the RSA SecurID product
as the leading multi-factor authentication solution and we also feel strongly
that the specific remediations we have provided to customers will help to
deliver the highest levels of customer protection," wrote RSA CEO Art
Coviello. "However, we recognize that the increasing frequency and
sophistication of cyber attacks generally, and the recent announcements by
Lockheed Martin, may reduce some customers’ overall risk tolerance. As a
result, we are expanding our security remediation program to reinforce
customers’ trust in RSA SecurID tokens and in their overall security
The letter from Coviello comes directly on the heels of
Lockheed Martin confirming to the media on Friday that the RSA tokens were at
play in a late-May attack against it. The defense firm also released a
statement today on the matter.
"Based on our early actions to replace all RSA SecurID
tokens and add new layers of security to our remote access processes, we remain
confident in the integrity of our robust, multi-layered information systems
security," the company said.
In addition to RSA, several other high profile defense
contractors have reportedly also been targeted in recent attacks. One anonymous
source told FoxNews.com that Northrup Grumman was hit by an RSA token-related
attack and an internal emailed memo from contractor L3 Communications that was
disclosed by Wired magazine showed that it too was affected.
Though neither company has confirmed details about their
ordeals, it seems to fit the mold of attacks in the wake of the RSA Breach.
"Certain characteristics of the attack on RSA indicated
that the perpetrator’s most likely motive was to obtain an element of security
information that could be used to target defense secrets and related IP, rather
than financial gain, PII, or public embarrassment," Coviello wrote in his
letter. "For this reason, we worked with government agencies and companies
in the defense sector to replace their tokens on an accelerated timetable as an
additional precautionary measure. We will continue these efforts."
Even with all of the signs pointing to it, RSA still didn’t
go so far as to describe what exactly was stolen in the March breach. But the
attacks against Lockheed and other DoD partners along with the recall program
going forward seem to justify many security experts’ speculation that the token
seeds were compromised. Token seeds are the algorithmic keys that enable
SecurID tokens to spit out an authentication code at certain intervals. Every
token comes from a different seed, which cannot be changed and essentially is
the lynchpin of the token’s security.
It is still unclear how exactly RSA will plan on executing
its remediation efforts for customers, but Coviello says that the plan stands
on two offers from the company. One is an offer to replace tokens for customers
"focused on protecting intellectual property and corporate networks"
and the other is an offer to implement risk-based authentication strategies
"for consumer-focused customers with a large, dispersed user base,
typically focused on protecting web-based financial transactions."
It remains unclear the role that channel partners will play
in making this happen, though given the scope of SecurID rehab efforts and the
role of the channel in helping carry out so many of these authentication
deployments, partners will indeed be integral to the effort.