Replacing RSA SecurID Tokens Not So Simple

There are plenty of in-house logistics -- and no guarantees that the new tokens won't be eventually compromised, security experts say

Should all RSA SecurID customers take the company up on its new offer to swap out their authentication tokens as a precaution?

Not so fast, security experts warn. While RSA says it will provide replacements for SecurID tokens to allay security concerns in the wake of its breach and the subsequent related breach at Defense contractor Lockheed Martin, the move might be only a temporary fix if the attackers who compromised RSA's SecurID servers indeed got the seed files. And replacing tokens takes more than a hardware-swap: There are logistics, such as enrollment and getting the help desk involved, and the tokens then must be redeployed with Active Directory so that the back-end VPN system recognizes it, for example.

But some RSA customers say they still don't have enough information from RSA to determine whether they are actually at risk. RSA still hasn't come clean with all of the details on what the bad guys stole. If the seeds were compromised, for instance, then SecurID customers who replace their tokens might have to do so again at another time.

"Customers need to ask RSA why new tokens matter. Does getting a new token mean I'm more secure? That's the question that needs to be asked," says Marcus Carey, a security researcher with Rapid7. "Companies need to know that this isn't a 'token' gesture."

RSA late yesterday confirmed that a breach last month at its customer Lockheed Martin was tied to an attack in March on its own systems. RSA chairman Art Coviello said in a blog post that on June 2 his firm determined that SecurID data stolen from RSA "used as an element of an attempted broader attack on Lockheed Martin."

Coviello said the attack on Lockheed appears to be part of a targeted attack on Defense contractors, that it doesn't "reflect a new threat or vulnerability in RSA SecurID technology," and that the remediation steps it had recommended for customers would "help to deliver the highest levels of customer protection."

Security experts say Coviello's latest post appears to confirm that some of the SecurID seeds were compromised in the attack against RSA. "There's no mention of why it's not going to happen again or what has been done to make the seeds more secure," says Max Caceres, a security expert. "It's unclear what you are getting out of taking [on] that cost [of replacing tokens]," he says.

Token replacements aren't for every organization, he says. "Every company is different. They should be cautious about how they go about doing that. They need to talk a little more with RSA to understand what has changed now if they do the replacements, and get more assurances around what the security benefits by replacing tokens," Caceres says.

"It's unclear if six months down the road you'll have to replace them again," he says.

Marcus Ranum, CTO at Tenable Security, says that if you're not a big Defense contractor, then you probably don't need to get new SecurID tokens. A bigger problem is protecting your firm from social-engineering attacks to grab user credentials, he says. "You need to make sure your IT staff is particularly careful about social engineering," he says.

Even so, RSA's offer to replace the tokens is good timing for a "refresh" for customers' keyfobs, he says. "That will reset the clock for another five years," he says.

Other experts say replacing the tokens is better than doing nothing now that the cat is out of the bag. "There's a good chance you lost the reason you moved to two-factor authentication in the first place. You could now be left with one-factor," says Tsion Gonen, corporate vice president of products and marketing at SafeNet. "Our view is you have to do something about it … otherwise, you're back to [just] a username and password."

Gonen suggests that at a minimum, RSA customers should have replaced their tokens and changed passwords months ago when RSA admitted it had been hacked. Still, it's no surprise that Lockheed Martin and others did not. "People are change-averse," Gonen says.

And there's always risk associated with relying on an outsourced seed model, like RSA's for SecurID. SafeNet's Gonen says this refresh is also a chance to take seeds in-house. "Make sure you program the token yourself," says Gonen, whose firm offers such a product.

Maybe RSA will offer the option for users to "own" the seeds themselves and program their own tokens at some point as well, he says.

Meanwhile, RSA's Coviello did say in his post that the company will add extra factors for strong authentication to SecurID. "We will continue to invest heavily in both our SecurID and our risk-based authentication technologies. We will provide additional factors for strong authentication. We will integrate these solutions with our cybercrime intelligence to better identify suspicious behavior targeted at networks, transactions and user sessions," he wrote.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights