Mitigation Practices to Counter the Recent RSA Two-Factor Authentication Breach

Solutionary Blog and Bloggers

Solutionary is an information security company. What does that mean? Simply put, we help businesses protect their assets, remain fully secure and safe online, and maintain and adhere to compliance regulations and standards. Solutionary's blog is a place to learn about, and discuss, a wide variety of security and compliance topics.

For more information about Solutionary, click here.

To read the Solutionary blog comment policy and disclaimer, click here.

Solutionary Bloggers:

Brad Curtis, Compliance Manager              Jon Heimerl, Director of Strategic Security  Mike Hrabik, President and CTO             Don Gray, Chief Security Strategist       Court Little, Director of Strategic Security Joseph Blankenship, Director of Marketing 
Doug Picotte, Regional Technical Manager
Rob Kraus, Director of Research               Erik Barnett, Regional Technical Manager Jose Hernandez, Security Consultant
Jozef Krakora, Sr Product Manager      Robert Jeffries, Research Analyst, Security Engineering Research Team (SERT)

Subscribe to our blog

Your email:

Browse by Tag

Posts by popularity

Solutionary Minds - Your Information Security Blog Source

Current Articles | RSS Feed RSS Feed

Mitigation Practices to Counter the Recent RSA Two-Factor Authentication Breach

Posted by Don Gray on Fri, Mar 25, 2011 @ 08:00 AM
  
  
  
Add to delicious  delicious  
  

update to RSA AttackRSA announced Thursday March 17, 2011 what they have called a possible APT (Advanced Persistent Threat for our whitepaper on the topic) that may have revealed certain information concerning their SecurID products.  Because of this, Solutionary is recommending that organizations take the following steps:

•    Don’t panic! 

  • The extent of the breach is not known at this point, however, there is nothing to suggest that SecurID has been compromised.  
  • Often times, quick fixes have great consequence.

•    Educate users and management about what happened.  Emphasize:

  • Likely social engineering activity, malicious in nature, attempting to leverage the confusion and hype related to the RSA breach
  • Likely phishing techniques to “reset” or “validate” SecurID tokens
  • Messages which seemingly are originating from “an” RSA account
  • Anyone requesting users to download xyz additional software or those that request users to click xyz link imbedded w/in the message
  • Communicate how to and who to report suspicious activities, events and/or issues
  • Provide guidance and contact information for your security group

•    ACE / SecurID Review:

  • Inventory all SecurID tokens.  Ensure that unused or unaccounted for tokens are disabled within the ACE servers.
  • Revoke tokens from all roles / users that currently had SecurID tokens in the past and no longer require them for their job duties.
  • Strongly consider reducing the number of incorrect PIN + TOKENCODE logins you allow before locking out an account.  By default this is set to 10 in the ACE Servers. We recommend four as a safe but minimal number that substantially heightens security while being minimally disruptive to the user base.

•    ACE Server Updates / Monitoring

  • Ensure that your ACE servers are up to date with all service packs and patches.  
  • Monitor, and limit remote and physical access to infrastructure that is hosting critical security software.
  • Monitor repeat authentication failures and establish threshold / timeframe for successful authentication (i.e. John Smith successfully established login/access X number of times with X number of minutes) on ACE server and on peripheral systems (appliances).

          ♣    Modifications, anomalous activity/events and or changes related to origin/source of authentication attempts

          ♣    Multiple concurrent logins for a single account            

•    Account Monitoring

  • Establish alerting and monitoring for escalation of privileges; and/or suspicious modification of permissions/privileges.
  • Ensure idle and or orphaned accounts are either disabled, removed and / or monitored for elicit activity.
  • Log, monitor and report failed login/logon attempts, for all accounts.
  • Log, monitor and report unusual activity such as numerous successful, login/logon.
  • Provide continuous updates regarding the RSA situation to users and management to ensure ongoing awareness.
  • Prepare for the worst
  • Although there is currently nothing to suggest that the SecurID tokens have not been compromised, it is certainly prudent to prepare for the worst.
  • Carefully consider increasing the strength on the PIN required to use SecurID.  Many organizations have the required PIN set to four digits but this can be increased to eight digits without impacting most voice systems that may be using SecurID.  This may be disruptive to end-users, so please use careful consideration
  • Explore alternative technologies to replace SecurID in your environment.  Understand features, likely cost, and timeframe to implement the new solution.  Communicate appropriately to management this ultimate worst-case scenario.

Solutionary stands ready to assist you in any way that we can.  Specifically we provide the following assistance:

•    Managed Security Services:

  • Log monitoring of all security devices (including RSA ACE servers)
             ♣    Log monitoring integration with user directories
  • Privileged user monitoring for critical systems
  • Vulnerability assessment of security infrastructure (including RSA ACE servers)

•    Security Consulting:

  • Assistance in developing end-user awareness training
  • Assistance in developing an incident response process and infrastructure
  • Assistance in assessing your overall security posture
  • Assistance in evaluating potential new security technologies

 

describe the image

Tags: , , ,

COMMENTS

Currently, there are no comments. Be the first to post one!
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics