Takeaways From the RSA SecurID Breach

It’s not news at this point that “highly sophisticated” attackers were able to steal some information from RSA that weakens their ubiquitous SecurID authentication tokens.  It is also known at this point that the attackers leveraged this stolen information to attack the US defense industrial base (DIB), namely Lockheed Martin and L3 Communications.  At least those are the ones we know about; there are probably others.

This attack pattern shows considerable sophistication and deserves discussion.  Strong authentication via RSA SecurID tokens is a feature of many high security installations, including IT systems in the financial services sector and the DIB.  RSA SecurIDs are the proverbial “Keys to the Kingdom” for many high value IT systems across many industries around the world.  One breach that facilitates attacks on multiple subsequent high-value targets: it’s the gift that keeps on giving.

What other “keys to the kingdom” may attackers target?  The software and hardware supply chains are obvious examples: general-purpose computing hardware from less than five vendors powers most modern IT systems.  Three general-purpose operating systems power the overwhelming majority of modern IT systems.  Less than a dozen software/technology “stacks” power most modern online applications.  All of this hardware and software depends on large international supply chains.  While the security of these supply chains is a strategic national issue, rapid detection of an attack on critical IT systems is an essential business function.  Even with the attackers leveraging weakened RSA tokens, Lockheed Martin detected and thwarted the attack before damage could be done.

The Bottom Line: Layered defenses (“defense in depth”) are critical because no security measure is infallible.  Moreover, the importance of ongoing monitoring and attack detection on critical IT systems cannot be understated.  Even bank vaults are not impenetrable; rather, they are designed merely to buy enough time for the alarm to trigger and for the police to arrive.  Make sure your IT staff understand that a security program needs to address Prevention, Detection, and Response.