Verizon Business advised customers to slow down and make sure all the other security measures are in place to trap targeted attacks before worrying about replacing SecurID tokens.
Organizations shouldn't make replacing compromised RSA Security
SecurID tokens their top priority, according to a security consultant
at Verizon Business.
Corporate IT departments would be better off beefing up defenses to
stop spear-phishing attacks and increasing network security rather than
rushing to replace compromised tokens, Dave Kennedy, a security analyst
with Verizon Business, wrote June 30 on the company's Security Blog.
Around three-quarters of the cases believed to be secondary attacks
following the SecurID breach used spear phishing e-mail attacks to
install a Trojan on a computer within the targeted organization,
The Trojan installed a keylogger onto the victim's computer to gather
user information such as the hostname, the user ID, PIN code and the
temporary code generated by the SecurID token, Kennedy said. The
harvested information could be used to create a cloned SecurID token to
breach the network, according to Kennedy.
"With this the attacker can work backwards to associate a user ID with
token seed and then use the results to impersonate the user," Kennedy
Implementing security measures against spear-phishing attacks will stop
this kind of SecurID-attack from succeeding as well as other targeted
attacks, while replacing the tokens won't do anything about all the
other attacks, Kennedy said. Spear-phishing and other targeted attacks
are a bigger threat to most organizations than the one relying on
cloned SecurID tokens, according to Kennedy.
"All those things we've been encouraging customers to do for years
continue to be essential," Kennedy wrote, noting that the costs of
those measures should already be part of the routine IT budget.
All customers should restrict authentication sessions to known devices
and locations, monitor authentication sessions from unknown devices and
locations while restricting multiple logins from the same user. Kennedy
encouraged IT managers to aggressively investigate suspicious incidents
When RSA Security announced its data breach in March, it immediately
advised customers to strengthen existing security measures such as
detecting unusual logins and escalation of user privileges in order to
detect follow-up attacks.
"Everything known about the RSA breach supports the inference that
nation-state motivated attackers were responsible for the RSA breach,"
Kennedy wrote. Once an organization accepts that the threat may be from
"state-sponsored actors," then the management team has to assess the
likelihood of the RSA attackers targeting the enterprise, Kennedy said.
Rushing to replace the tokens would disrupt operations and require the
organization to dedicate additional resources, especially staff time.
"No knee-jerking allowed," Kenney wrote.
Only a "subset" of enterprises, departments, and individuals should be
taking immediate action against the threat, Kennedy said. He defined
this subset as some government departments, some researchers, some
companies with aggressive international competitors and any entity
already targeted for nation-state espionage.
Companies that are "peers" of Lockheed Martin, Northrop Grumman and the
International Monetary Fund would fall in this category, said Kennedy.
Most customers should plan to replace their existing SecurID
installation, but they can take their time to do so, provided other
security measures are in place, according to Kennedy.
Kennedy closely echoed RSA Security's claim in June that the attackers
were only interested in military information and were focused on
defense contractors. RSA has focused its efforts on replacing the
tokens for customers in the vulnerable category, but has said it will
replace tokens for practically any customer who request to do so.