Comment: RSA SecurID Breach – Where Do We Go From Here?

Lieberman on the SecurID breach: "The shoemaker’s children did go barefoot at RSA"
Lieberman on the SecurID breach: "The shoemaker’s children did go barefoot at RSA"

The ripples of the recent RSA SecurID compromise event go far and wide and can cause us to question some of the fundamental beliefs we have in vendors and their business models. The SecurID product has been a trusted security element of both commercial and government agencies for many decades now.

The agreement between vendor and customer was that the SecurID token system was secure, the token seed files were being responsibly managed by RSA, and that customers could put their faith in the belief that each token was unique and a trusted source of authentication information.

By putting all of the data in a single database and making it accessible to wide range of people, RSA reduced its costs, but it also opened up the possibility of a total loss of the seed information in a single event. The lesson learned is that you should not put all of your sensitive information in a single database and make it widely available. In practice, it would be best to break up the database into different compartmentalized databases and provide restrictions against the export of more than a small area of the database without explicit human approval.

Large-scale loses can be mitigated using data loss prevention software (known as DLP). In the case of RSA, there is an extraordinary irony to the fact that RSA sells an award-winning DLP software product specifically designed to minimize the type of loss they incurred. It is unfathomable and unconscionable that a company that makes DLP products would not use its own products to protect its most valuable asset: the seed files of SecurID. The shoemaker’s children did go barefoot at RSA.

It was recently announced that RSA has just appointed its first chief security officer (CSO). It is me, or does it seem strange that a security company of the size and reputation of RSA did not already employ a CSO? On the other hand, Sony also appointed their first CSO not long after its network was compromised. It is reasonable to assume that both RSA and Sony underwent regular IT audits, but without a CSO to report to, how did the executive team evaluate the audit results and how could they make an informed decision as to risk/reward for their existing IT operations?

Many commercial and government organizations have standardized on SecurID tokens without any knowledge of how RSA was managing the seed files that controlled their tokens. The assumption was that the tokens and their personal information were being securely managed. Further, many customers probably assumed that the information for tokens was segmented, compartmentalized so that their token information was not intermixed with that of other organizations.

As we have come to learn, all of the seed and token information was kept in a gigantic database available for hackers to retrieve. This means that everyone on the planet, no matter whether they are commercial or government users, are now potentially compromised, and the uniqueness aspect of a token can be compromised simply by intercepting the entered token codes and matching them to the patterns generated by the compromised seeds.

The lesson learned here is that organizations should not trust the seed management of any vendor providing tokens. Organizations should generate and secure their own seeds as well as have the ability to program their own tokens when they wish and where they wish. This compromise points out the fallacy of trusting a vendor such as RSA to properly manage tokens on the behalf of their customers. To this end, I recommend the use of open token standards such as OATH and the use of reprogrammable tokens.

The lessons learned from the RSA breach and its management of its SecurID product are numerous. At the heart of the matter we have a company that had the cash cow of all cash cows: generating random number seeds and getting paid handsomely for technology that is available nearly for free by others. All RSA needed to do to keep things moving was to keep their seed files secure and make sure that only the right customers had access to the data.

The bottom line lesson is that failure to properly invest in security can result in the destruction of reputation, damage to your customers, and potentially the destruction of your business. For those that believe that security is an optional expense of limited value and believe that the only objective is profitability, I point to the case of RSA SecurID and their 40 million compromised tokens. As the saying goes: penny wise and pound foolish.

Philip Lieberman, the founder and president of Lieberman Software, has more than 30 years of experience in the software industry. In addition to his proficiency as a software engineer, Lieberman is an astute entrepreneur able to perceive shortcomings in existing products on the market, and fill those gaps with innovative solutions. He developed the first products for the privileged identity management space, and continues to introduce new solutions to resolve the security threat of privileged account credentials. Lieberman has published numerous books and articles on computer science, has taught at UCLA, and has authored many computer science courses for Learning Tree International. He has a BA from San Francisco State University.

What’s hot on Infosecurity Magazine?