The sophisticated, multi-pronged attack that struck RSA Security last March has resulted in the high-profile IT security vendor overhauling the manufacturing and distribution of its SecurID tokens.
For readers who may have overlooked the saga, the attack compromised RSA Security's network of about 40 million tokens and involved the use of stolen SecurID information to launch an attack on a key RSA Security customer, Lockheed Martin, the U.S. defense contractor, in the early spring of last year.
Whilst RSA officials have sought to minimise the fallout from the security faux pas – pointing to the fact that it has staged a free re-issue of SecurID tokens to all its many customers – critics point out that it took the security vendor a week before it started talking to the press, and by implication, its customers about the problem.
It then took RSA until June to reveal the technology that had been compromised by the attack, after which is started the lengthy process of re-issuing tokens to its clients.
That process – though ostensibly free – has actually cost clients using the hardware tokens many millions of dollars, pounds and euros in the staff costs of handling the re-issue, as well as significant other on-costs. As any CFO will confirm, whilst there are direct and indirect costs in any business activity, both categories involve the expenditure of money.
So there we have it -- 40 million affected, a late apology and the hidden costs of a fiasco that almost certainly will have cost RSA Security a sizeable number of its customers, some of whom have defected to rival suppliers, and some of whom have made the leap to tokenless and other advanced forms of authentication.
And this revenue loss is before we even begin to talk about the fact that RSA Security has had to spend time and resources explaining what actually happened to its corporate clients – as well as developing new software to harden the company against further attacks and a reported seven-fold increase in the production of its tokens to cater for the replacement program.
Art Coviello, the firm's executive chairman, has gone on record as saying that his firm obviously went through a hell of a year last year – "We learned from it, and we came out stronger," he said at the start of this year.
Coviello may be relieved that a sizeable majority of RSA's customers have stayed with the company, but the reputational damage may come back to haunt him – and his successors. Many clients are locked into the secured technology because of already-committed technology costs but as new security technologies are required, many clients will quietly look elsewhere, looking to the many technology alternatives that are available.
Last October saw RSA President Tom Heiser revealing that the March 2011 attack on his firm's systems was a two pronged, rather than a single incursion, and involved a mid-hack switch of attack vectors that his IT teams were aware of whilst they were happening.
"These people were persistent. The remote attack was adapted to meet RSA's internal naming convention," he told his audience at the RSA Europe conference in October.
Despite Heiser’s platitudes to his audience, it should be remembered that he was – in the main – speaking before clients who have been supportive of the firm’s products and services - as well as a minority of clients whose companies are locked into RSA’s technology and must therefore learn to live with the odd highly expensive data breach fiasco.
It is interesting to note that security researcher Brian Krebs reported last October that the RSA hackers might have hit more than 760 firms.
“Security experts have said that RSA wasn’t the only corporation victimized in the attack, and that dozens of other multinational companies were infiltrated using many of the same tools and Internet infrastructure. But so far, no one has been willing to talk publicly about which other companies may have been hit,” said the former Washington Post IT security journalist.
Krebs went on to say that almost 20% of the Fortune 100 companies in the U.S. have seen their IT systems compromised, including name like AT&T.
A year on, and a number of smaller security solution vendors are seeing RSA customers shopping around for alternative solutions rather than depend on the physical token.
For many organizations they are already moving over to cloud-based IT platforms – so moving away from traditional two-factor authentication makes sense for them as users remotely access their corporate server environment.
Encryption of the data flowing into and out of the cloud is relatively painless and can typically be carried out at low cost, with tokenless authentication via a mobile phone offering a complementary and highly portable authentication system. This makes it a far more convenient option than dedicated physical tokens.
With tokenless two-factor security, when the user wishes to access their corporate data or cloud-based service remotely, they simply enter their secret PIN/passphrase into the token application running on the smartphone, which then generates a one-time passcode that the user enters into the password field on the computer.
By demonstrating that they have these two factors – a secret PIN/passphrase and their smartphone – the user is securely identified.
Unlike their physical counterparts, software tokens can also assist in decreasing the total cost of ownership of the security, as they do not require any physical shipping – a crucial cost factor if the hardware token is compromised, and the vendor has to re-issue the token.
As we approach the 12-month anniversary of the RSA Security hack, organisations that have been affected by having to re-deploy their reissued hardware tokens would do well to reflect on the fact that had they been using tokenless two-factor authentication – the costs and timescales involved with issuing new tokens would have been significantly less.