DHS Responds to RSA SecurID Breach

RSA Says Hackers Take Aim At Its SecurID Products

By , March 18, 2011.
DHS Responds to RSA SecurID Breach

T

See Also: Advances in Application Security: Run-time Application Self Protection

he Department of Homeland Security is working with RSA in investigating what the IT security vendor characterized as an extremely sophisticated attack aimed at its SecurID two-factor authentication products.

DHS spokeswoman Amy Kudwa said in a statement issued late Friday afternoon that the department is working with RSA by leveraging the technical, investigative and mitigation expertise of federal agencies to address the assault. "We take threats to our cyber infrastructure as seriously as we take threats to our conventional, physical infrastructure," she said.

Kudwa said federal agencies and departments have been informed of the vulnerability and provided with mitigation measures, in coordination with RSA, adding that DHS also is distributing similar information to its critical infrastructure partners. Kudwa did not provide details on the mitigation measures.

Inquires to the office of White House Cybersecurity Coordinator Howard Schmidt, the Pentagon and the National Security Agency all were referred to DHS. RSA did not respond to a request Friday for an interview.

RSA Executive Chairman Art Coviello, in a posting on the RSA website Thursday, said a company investigation led officials to believe the attack is in the category of an advanced persistent threat. An APT refers to sophisticated and clandestine means to gain continual, persistent intelligence on a group such as a nation or corporation.

In a letter posted on the RSA website on Thursday, Coviello promised qualified transparency in addressing this problem. "As appropriate," he said, "we will share our experiences from these attacks with our customers, partners and the rest of the security vendor ecosystem and work in concert with these organizations to develop means to better protect all of us from these growing and ever more sophisticated forms of cybersecurity threat."

Nevada's state chief information security officer said he found Coviello's comment reassuring. "They did the right thing," CISO Christopher Ipsen said. "As a result, I am more comfortable than I would have been had I heard about the APT from some other source."

Ipsen, an RSA certified administrator, said he looks forward to working in concert with RSA to address challenges facing SecurID.

To help customers, RSA issued nine recommendations it says should strengthen SecurID implemantions (see RSA's 9 Recommendations to SecurID Customers).

SecurID consists of a token, either hardware or software, that generates an authentication code at fixed intervals - about once a minute, for instance - using a built-in clock and an encoded random key known as a seed. The seed is different for each token, and is loaded into the corresponding RSA SecurID server as the tokens are acquired. (see RSA SecurID: A Primer).

Coviello said RSA's investigation revealed that the attack resulted in information being extracted from the company's IT systems. "While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack," Coviello said. "We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations."

Coviello said RSA has no evidence that customer security related to other RSA products has been similarly affected. "We do not believe that either customer or employee personally identifiable information was compromised as a result of this incident," he said, adding that RSA will give its SecurID customers the tools, processes and support required to strengthen the security of their IT systems in the face of this incident.

The attack came one day after the top cybersecurity executive at the Department of Homeland Security told Congress that government and private-sector IT systems are at risk from such attacks (see Experts Question Infosec Readiness). "Sensitive information is routinely stolen from both government and private sector networks," Philip Reitinger, DHS deputy undersecretary for national protection and programs told the House Homeland Security Committee. "We currently cannot be certain that our information infrastructure will remain accessible and reliable during a time of crisis."

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE $10 Million Fine in Improper Disposal Case

The grocery store chain Safeway has been ordered to pay a penalty of almost $10 million as part of...

Latest Tweets and Mentions

ARTICLE $10 Million Fine in Improper Disposal Case

The grocery store chain Safeway has been ordered to pay a penalty of almost $10 million as part of...

The ISMG Network