You are here

T-582: RSA systems has resulted in certain information being extracted from RSA systems that relates to RSA SecurID

March 17, 2011 - 11:45pm

Addthis

PROBLEM:

Recently EMC's security systems identified an extremely sophisticated cyber attack in progress, targeting their RSA business unit. RSA took a variety of aggressive measures against the threat to protect their business and their customers, including further hardening of their IT infrastructure.

PLATFORM:

RSA SecurID implementations

ABSTRACT:

RSA investigation has revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is related to RSA's SecurID two-factor authentication products.

reference LINKS:

Open Letter to RSA Customers
CVE-2011-0322
Security Focus Alert: ESA-2011-009
SEC Filing Reference Link

IMPACT ASSESSMENT:

High

Discussion:

RSA have determined that a recent attack on RSA's systems has resulted in certain information being extracted from RSA's systems that relates to RSA's SecurID two-factor authentication products. While at this time RSA are confident that the information extracted does not enable a successful direct attack on any of their RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. RSA urges immediate action.

Impact:

Recently EMC's security systems identified an extremely sophisticated cyber attack in progress, targeting their RSA business unit. EMC's security took a variety of aggressive measures against the threat to protect their business and their customers, including further hardening of their IT infrastructure. RSA also immediately began an extensive investigation of the attack and are working closely with the appropriate authorities.

RSA investigation has revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is related to RSA's SecurID two-factor authentication products. While at this time RSA are confident that the information extracted does not enable a successful direct attack on any of their RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.

RSA strongly urge immediate customer attention to this advisory, and RSA are providing immediate remediation steps for customers to take to strengthen their RSA SecurID implementations.

Solution:

RSA strongly urges customers to follow both these overall recommendations and the recommendations available in the best practices guides linked to this note.

1. RSA recommend customers increase their focus on security for social media applications and the use of those applications and websites by anyone with access to their critical networks.
2. RSA recommend customers enforce strong password and pin policies.
3. RSA recommend customers follow the rule of least privilege when assigning roles and responsibilities to security administrators.
4. RSA recommend customers re-educate employees on the importance of avoiding suspicious emails, and remind them not to provide user names or other credentials to anyone without verifying that person's identity and authority. Employees should not comply with email or phone-based requests for credentials and should report any such attempts.
5. RSA recommend customers pay special attention to security around their active directories, making full use of their SIEM products and also implementing two-factor authentication to control access to active directories.
6. RSA recommend customers watch closely for changes in user privilege levels and access rights using security monitoring technologies such as SIEM, and consider adding more levels of manual approval for those changes.
7. RSA recommend customers harden, closely monitor, and limit remote and physical access to infrastructure that is hosting critical security software.
8. RSA recommend customers examine their help desk practices for information leakage that could help an attacker perform a social engineering attack.
9. RSA recommend customers update their security products and the operating systems hosting them with the latest patches.

RSA Worldwide Customer Support

 

 

Addthis