Computerworld

The RSA Hack FAQ

Here are some key questions and answers about the situation

In the aftermath of RSA saying that its SecureID two-factor authentication tokens may have been compromised in a data breach of the company's network, here are some key questions and answers about the situation.

The answers in quotations come from a public letter signed by RSA's Executive Chairman Art Coviello.

What happened?

RSA's corporate network suffered what RSA describes as a successful advanced persistent threat attack, and "certain information" was stolen that can somehow affect the security of SecureID authentication.

MORE ON SECURITY: 20 hot IT security issues

What does that mean?

RSA clarifies by saying what the stolen information does not enable. "[T]he information extracted does not enable a successful direct attack on any of our RSA SecurID customers."

Then why is RSA making a big deal out of it, and what good is the information to the people who stole it?

Without knowing exactly what information was taken it's hard to say, but given the apparent sensitivity of the stolen materials and the widespread use of SecureID to protect the most sensitive corporate data, the thieves can probably cash it in somehow.

Here's what RSA says: "[T]his information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations."

What are those steps?

RSA recommends nine steps, which amount to following pretty basic security principles:

1. Focus on use of social media applications by anyone with access to corporate networks.

2. Enforce strong passwords and PINs.

3. Follow the rule of least privilege when assigning access rights to security administrators.

4. Tell users to avoid suspicious e-mails and not to give out user names and other credentials when they are solicited by e-mail or phone call. They should report such attempts.

5. Implement two-factor authentication to directories and use SIEM products to keep an eye on directory activity.

6. Closely watch changes in user access privileges and require more manual approvals to increase them.

7. Tighten all security surrounding critical security software.

8. Review help desk procedures with an eye toward blocking social engineering attacks.

9. Update operating systems and security products' software.

What's RSA going to do about it directly?

It says it will help strengthen customers' security: "We are committed to applying all necessary resources to give our SecurID customers the tools, processes and support they require to strengthen the security of their IT systems in the face of this incident. Our full support will include a range of RSA and EMC internal resources as well as close engagement with our partner ecosystems and our customers' relevant partners."

How did the hackers get in?

RSA is describing the attack as an advanced persistent threat, but isn't detailing what happened.

When will they?

It's not clear that they ever intend to: "As appropriate, we will share our experiences from these attacks with our customers, partners and the rest of the security vendor ecosystem and work in concert with these organizations to develop means to better protect all of us from these growing and ever more sophisticated forms of cybersecurity threat."

How did RSA react when it discovered the breach?

The company says in a statement that it took aggressive measures against the attack and hardened its IT infrastructure. It says it has also investigating and has notified appropriate authorities. It doesn't detail the measures, hardening efforts or who the authorities are.

When did this happen?

"Recently" is the closest RSA comes to telling. The company notified the Securities and Exchange Commission yesterday, and is reported to have been working with government customers on the fallout for more than a week.

Read more about wide area network in Network World's Wide Area Network section.