Organizations shouldn't make replacing compromised RSA Security SecurID tokens their top priority, according to a security consultant at Verizon Business.
Corporate IT departments would be better off beefing up defenses to stop spear-phishing attacks and increasing network security rather than rushing to replace compromised tokens, Dave Kennedy, a security analyst with Verizon Business, wrote June 30 on the company's Security Blog.
Around three-quarters of the cases believed to be secondary attacks following the SecurID breach used spear phishing e-mail attacks to install a Trojan on a computer within the targeted organization, Kennedy said.
The Trojan installed a keylogger onto the victim's computer to gather user information such as the hostname, the user ID, PIN code and the temporary code generated by the SecurID token, Kennedy said. The harvested information could be used to create a cloned SecurID token to breach the network, according to Kennedy.
"With this the attacker can work backwards to associate a user ID with token seed and then use the results to impersonate the user," Kennedy wrote.
Implementing security measures against spear-phishing attacks will stop this kind of SecurID-attack from succeeding as well as other targeted attacks, while replacing the tokens won't do anything about all the other attacks, Kennedy said. Spear-phishing and other targeted attacks are a bigger threat to most organizations than the one relying on cloned SecurID tokens, according to Kennedy.
"All those things we've been encouraging customers to do for years continue to be essential," Kennedy wrote, noting that the costs of those measures should already be part of the routine IT budget.
All customers should restrict authentication sessions to known devices and locations, monitor authentication sessions from unknown devices and locations while restricting multiple logins from the same user. Kennedy encouraged IT managers to aggressively investigate suspicious incidents and errors.
When RSA Security announced its data breach in March, it immediately advised customers to strengthen existing security measures such as detecting unusual logins and escalation of user privileges in order to detect follow-up attacks.
"Everything known about the RSA breach supports the inference that nation-state motivated attackers were responsible for the RSA breach," Kennedy wrote. Once an organization accepts that the threat may be from "state-sponsored actors," then the management team has to assess the likelihood of the RSA attackers targeting the enterprise, Kennedy said.
Rushing to replace the tokens would disrupt operations and require the organization to dedicate additional resources, especially staff time. "No knee-jerking allowed," Kenney wrote.
Only a "subset" of enterprises, departments, and individuals should be taking immediate action against the threat, Kennedy said. He defined this subset as some government departments, some researchers, some companies with aggressive international competitors and any entity already targeted for nation-state espionage.
Companies that are "peers" of Lockheed Martin, Northrop Grumman and the International Monetary Fund would fall in this category, said Kennedy.
Most customers should plan to replace their existing SecurID installation, but they can take their time to do so, provided other security measures are in place, according to Kennedy.
Kennedy closely echoed RSA Security's claim in June that the attackers were only interested in military information and were focused on defense contractors. RSA has focused its efforts on replacing the tokens for customers in the vulnerable category, but has said it will replace tokens for practically any customer who request to do so.