Yesterday, RSA Security, a division of EMC Corporation, was attacked by hackers who stole sensitive information related to the SecurID two-factor authentication products. These "security tokens," whose pass codes change every 30 to 60 seconds, are used by more than 40 million individuals worldwide.
RSA's Chairman Art Coviello sent an open letter to RSA Customers, stating:
Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.
RSA customers should not panic (yet) but should follow RSA's recommendations on implementing stronger security, which can be found here.
The first recommendation on this list is interesting:
We recommend customers increase their focus on security for social media applications and the use of those applications and websites by anyone with access to their critical networks.
While RSA has not revealed details of the attack, this recommendation is generating attention. Some people, analyzing what RSA is and isn't saying, are wondering what role social media played in this vulnerability. Ironically, the attack comes a little over a month after RSA held its annual Security Conference where such topics as "Social Engineering in a Social Media World: Risk, Liability, and Control" and "Blocking Social Media Is So 2010 - How to Embrace the Social Web Safely" were discussed.
Jessica Herrera-Flanigan
Jessica R. Herrera-Flanigan is a partner at the Monument Policy Group, where she focuses on the issues affecting our nation’s security, technology, commerce, and entertainment markets. Previously, she served as the Staff Director and General Counsel of the House Committee on Homeland Security. She also has served as Senior Counsel at the Computer Crime & Intellectual Property Section, Criminal Division, U.S. Department of Justice, where she led the Section’s cybercrime investigation team. She was a Member of the CSIS Commission on Cyber Security and is a Member of the ABA Standing Committee on Law & National Security. She currently serves as the Fellow for Cybersecurity at the Center for National Policy.
Continuous Monitoring As a Service: A Shift in the Way Government Does Business
Research Report: Powering Continuous Monitoring Through Big Data
Addressing the 3 Biggest BYOD Security Threats
Mobile Apps: New Ways to Connect Government with Citizens
JOIN THE DISCUSSION
By using this service you agree not to post material that is obscene, harassing, defamatory, or otherwise objectionable. Although Nextgov does not monitor comments posted to this site (and has no obligation to), it reserves the right to delete, edit, or move any material that it deems to be in violation of this rule.