RSA revealed in an open letter posted to its website that it has been the target of an attack, and that data was stolen which could potentially compromise its SecurID tokens. The attack against the RSA network is an example of a new breed of security threat aimed at flying under the radar longer and going after bigger payoffs.
RSA describes the attack as an advanced persistent threat (APT). Tim 'TK' Keanini, CTO of nCircle, commented that APTs represent a significant change in the security landscape. An APT attack involves patient, skilled, well-funded attackers going after the really big prize.
Keanini warns, "This particular attack could be really lucrative for mercenaries. Being able to go to the black market and sell the capability to break the SecureID infrastructure will be worth a lot of money for a reasonably big time window."
Two-factor authentication is a preferred method of providing stronger security than is provided by a username and password alone. One of the most common methods of two-factor authentication is to use a key fob or token which provides a randomized code you must enter in addition to the username and password in order to authenticate and gain access to the site or application.
RSA is a leading provider of two-factor authentication solutions, and its key fobs and tokens are virtually ubiquitous. With millions of customers relying on RSA to provide additional security and protect accounts from unauthorized access, it is troubling that malicious hackers may now possess the keys to circumvent that protection.
In the open letter, Art Coviello expresses cautious optimism that there is no immediate threat, but warns customers to take action in other areas to strengthen security should there be a compromise of the SecurID tokens. "While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack."
nCircle's Keanini also speculates that there may be other motivations for the disclosure from RSA. "You also have to wonder if this was disclosed because there might be an HBGary-like disclosure lurking in the background. It happened a while back and it is possible that RSA had to disclose this before it was disclosed for them."
Regardless of the reason for--or timing of--the RSA disclosure, the RSA hack demonstrates why APTs are a growing security concern. Attackers with the skill to bypass network security controls, and the patience to do so over time to avoid overtly suspicious activity that might lead to detection, can eventually achieve major network breaches and data compromise.