Gauging The Long-Term Effects Of RSA's Breach

Worries still linger of future attacks, but experts hope the event shook industry out of black-and-white security mentality
For some experts, given the number of customers with compromised SecurID tokens who have not swapped them out, as well as the rising prominence of advanced persistent threats (APTs), it's only a matter of time before other attacks strike RSA customers.

"This year has been the worst year for security breaches. The APTs are becoming more of the norm for these hacks, instead of the exception," says Chris Harget, senior product marketing manager at ActivIdentity, part of HID Global. "The traditional OTP approach only provides a single layer of protection at the perimeter, which APTs can get around. To secure your environment against these hacks, customers need to look at a multilayered approach, protecting at different points within the network."

But others like Lieberman say the actual risk might be low for most RSA customers, and that the ones most likely to be attacked using breached SecurID information -- defense contractors and government agencies -- have likely already replaced their old tokens with the free, new ones RSA has offered up to affected customers.

"The threat is not as great as it appears to be because in order to exploit this, you need all of the seeds, and you also need to have enough infected machines to intercept the log-ins to carry out an attack. There's a giant ocean of seeds out there, and being able to determine what the next token code is going to be and the ability to identify a specific token is very hard to do," Lieberman says.

"The mathematics behind it is you literally have to have something in their system and be able to see at minimum two to three tokens in sequence -- that is, have something like Zeus or another package infecting the machine and being able to pick up at least two or three, probably even more token log-ins with RSA, and be able to correlate the sequence to a specific seed so that you could predict what the next token code is going to be. That's very hard to do, and that's a very high level threat."

As Lieberman puts it, unless you're in the government arena or the tokens are protecting IP of extraordinary value, the likelihood of an attack is probably not that high. If you're part of the former group, then, yes, replacing the tokens and getting new files should be a first order of business.

Some security pundits hope that organizations are taking stock of their infrastructure post-RSA breach and using the scare as a catalyst for positive change. According to Scott Crawford, analyst for Enterprise Management Associates, one of the best long-term effects of the breach could be that it will be a way to shake the industry out of a black-and-white mentality.

"Much of the concern has to do with this lingering tendency to see security in black-and-white terms: We are either secure, or we’re not," he says. "The tendency to see security in black-and-white terms may also tend towards 'betting the farm' thinking, where one defense tactic or another is seen as critical. In fact, multifactor authentication is intended to strengthen defense against the compromise of more simplistic approaches by introducing additional factors into authentication. Today, we see the rise of more 'risk-based' authentication, which takes a number of other factors into consideration, such as user behavior or access anomalies. This is what the FFIEC had in mind when it referenced a 'layered' approach in its updated guidance on authentication in online banking issued this past summer. This trend parallels the increased complexity of the threat landscape. "

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.