The National Security Agency (NSA) SignOn March 17, 2011, RSA announced that it had been the victim of a cyber intrusion, and as a result, information related to its SecurID product – a two-factor authentication device – had been compromised. According to RSA, the compromise does not lead to a direct attack on SecurID, but it does decrease its effectiveness.

In reaction to the RSA cyber intrusion, The National Security Agency (NSA) released Information Assurance Advisory No. IAA-003-2011: Recommended Actions for SecurID Users in Response to RSA Cyber Intrusion. This advisory expands on the information previously released by NSA via Information Assurance Alert No. IAR-001-2011: Mitigations for the RSA Cyber Intrusion, and provides additional guidance on:

  • The use of SecurID hard tokens and soft tokens
  • Fortifying the security profile of SecurID’s authentication factors
  • Measures to harden SecurID’s Authentication Manager

Here is a summary of NSA’s recommendations for SecurID customers.

The Use of SecurID Hard Tokens and Soft Tokens

RSA is exploring remediation strategies and best practices for its customers. However, implementation of these strategies may take some time. Customers should continue to work with RSA to develop short-term and long-term mitigations. Options include:

  • Continued use of hard tokens: In some circumstances, the risk of continued use of hard tokens may be deemed minimal.
  • Replacing hard tokens with soft tokens: For this option, an application is installed to generate a one-time password.

Fortifying the Authentication Factors

As a best practice, SecurID should not be used as the sole means of authentication. Recommendations on additional authentication measures and how to securely implement them are:

  • Augment SecurID with usernames and passwords: A relatively simple way to augment SecurID is to also require a user to log in to the system. This forces the adversary to compromise additional user information in order to gain access. Specific measures include the following:
    • Enable account login restrictions
    • Require users to phone-in before logging in
  • Augment SecurID with the DoD Common Access Card (CAC): A DoD customer could augment its existing SecurID system with the DoD CAC card, which is widely used across the DoD.
  • Perform regular audits of remote login activity: Enclaves should regularly audit login activities in order to identify unauthorized activity. Specific steps include:
    • Verify remote logins with each user
    • Analyze logs for unusual IP addresses
    • Analyze logs for failed login attempts
    • Notify users of last logins
  • Implement robust PIN policies: Implement strong policies for PIN and password usage and selection. The following should be considered:
    • Enforce the selection of robust PINs and passwords
    • Have users select new PINs and passwords and increase the frequency at which this needs to be performed
    • Implement quicker user lock-out after failed login attempts

Authentication Manager (AM) Hardening

These include:

  • Change default passwords
  • Install a system integrity checker
  • Only install valid software
  • Do not co-locate the AM with other services
  • Restrict Internet access from the AM
  • Limit user access to the AM
  • Baseline the AM network communications
  • Establish firewall rules to restrict network access to the AM
  • Limit user access to only a specific IP address or range of IP addresses
  • Restrict remote access to the AM

Additional Resources

Read NSA’s entire Information Assurance Advisory No. IAA-003-2011: Recommended Actions for SecurID Users in Response to RSA Cyber Intrusion here.

Read NSA’s entire Information Assurance Alert No. IAR-001-2011: Mitigations for the RSA Cyber Intrusion here.

Visit RSA’s SecurID Customer Resource Center, which provides links to SecurID information related to the attack, and where customers can tune in for updates.

In response to the RSA breach, the DHS issued the Technical Information Paper TIP-11-075-01 System Integrity Best Practices. This TIP calls for users to:

  • Enable strong logging
  • Limit remote access
  • Apply additional defense-in-depth techniques
  • Validate software

Were you affected by the SecurID compromise? Do you have additional resources to share with us? Let us know in the comments.