Incident Response

DHS Responds to RSA SecurID Breach RSA Says Hackers Take Aim At Its SecurID Products
The Department of Homeland Security is working with RSA in investigating what the IT security vendor characterized as an extremely sophisticated attack aimed at its SecurID two-factor authentication products.

DHS spokeswoman Amy Kudwa said in a statement issued late Friday afternoon that the department is working with RSA by leveraging the technical, investigative and mitigation expertise of federal agencies to address the assault. "We take threats to our cyber infrastructure as seriously as we take threats to our conventional, physical infrastructure," she said.

Kudwa said federal agencies and departments have been informed of the vulnerability and provided with mitigation measures, in coordination with RSA, adding that DHS also is distributing similar information to its critical infrastructure partners. Kudwa did not provide details on the mitigation measures.

Inquires to the office of White House Cybersecurity Coordinator Howard Schmidt, the Pentagon and the National Security Agency all were referred to DHS. RSA did not respond to a request Friday for an interview.

RSA Executive Chairman Art Coviello, in a posting on the RSA website Thursday, said a company investigation led officials to believe the attack is in the category of an advanced persistent threat. An APT refers to sophisticated and clandestine means to gain continual, persistent intelligence on a group such as a nation or corporation.

In a letter posted on the RSA website on Thursday, Coviello promised qualified transparency in addressing this problem. "As appropriate," he said, "we will share our experiences from these attacks with our customers, partners and the rest of the security vendor ecosystem and work in concert with these organizations to develop means to better protect all of us from these growing and ever more sophisticated forms of cybersecurity threat."

Nevada's state chief information security officer said he found Coviello's comment reassuring. "They did the right thing," CISO Christopher Ipsen said. "As a result, I am more comfortable than I would have been had I heard about the APT from some other source."

Ipsen, an RSA certified administrator, said he looks forward to working in concert with RSA to address challenges facing SecurID.

To help customers, RSA issued nine recommendations it says should strengthen SecurID implemantions (see RSA's 9 Recommendations to SecurID Customers).

SecurID consists of a token, either hardware or software, that generates an authentication code at fixed intervals - about once a minute, for instance - using a built-in clock and an encoded random key known as a seed. The seed is different for each token, and is loaded into the corresponding RSA SecurID server as the tokens are acquired. (see RSA SecurID: A Primer).

Coviello said RSA's investigation revealed that the attack resulted in information being extracted from the company's IT systems. "While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack," Coviello said. "We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations."

Coviello said RSA has no evidence that customer security related to other RSA products has been similarly affected. "We do not believe that either customer or employee personally identifiable information was compromised as a result of this incident," he said, adding that RSA will give its SecurID customers the tools, processes and support required to strengthen the security of their IT systems in the face of this incident.

The attack came one day after the top cybersecurity executive at the Department of Homeland Security told Congress that government and private-sector IT systems are at risk from such attacks (see Experts Question Infosec Readiness). "Sensitive information is routinely stolen from both government and private sector networks," Philip Reitinger, DHS deputy undersecretary for national protection and programs told the House Homeland Security Committee. "We currently cannot be certain that our information infrastructure will remain accessible and reliable during a time of crisis."

Revelation of the hack brought a quick response from a leading proponent of IT security legislation in Congress. "The cyberattack revealed by RSA today underscores the serious and sophisticated cyberthreat we face," said Sen. Susan Collins, the Maine Republican who serves as ranking member of the Homeland Security and Governmental Affairs Committee. "The threat of a catastrophic cyber attack is real. Attacks are happening now."

Collins said the attack demonstrates the need for Congress to act to change the way the federal government works with the private sector to safeguard IT. The senator is cosponsor with the committee Chairman Joseph Lieberman, ID-Conn., and Thomas Carper, D-Del., of legislation to reshape the way the federal government protects government and key private-sector IT systems (see Senate Bill Eyes Cybersecurity Reform). "The need to pass comprehensive cyber security legislation is more urgent than ever," Collins said.

Backers of the Cybersecurity and Internet Freedom Act of 2011 contend the legislation would improve collaboration between the government and business in addressing vulnerabilities such as advanced persistent threats.


About the Author

Eric Chabrow

Eric Chabrow

Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow, who oversees ISMG's GovInfoSecurity and InfoRiskToday, is a veteran multimedia journalist who has covered information technology, government and business. He's the former top editor at the award-winning business journal CIO Insight and a long-time editor and writer at InformationWeek.




Around the Network