Analyzing the RSA Security Breach

By TMCnet Special Guest
Andy Kemshall
  |  May 22, 2012

This article originally appeared in the May 2012 issue of INTERNET TELEPHONY magazine.

It’s been 14 months since the security world woke to the horror that RSA (News - Alert) Security’s systems had been compromised and – as the company has reluctantly confirmed – its many tens of millions of SecurID hardware tokens would have to be re-issued to clients.

For readers who may have overlooked the saga, the attack compromised RSA Security's (News - Alert) network of about 40 million tokens and involved the use of stolen SecurID information to launch an attack on a key RSA Security customer, Lockheed Martin, the U.S. defense contractor. The sophisticated multi-pronged attack that struck RSA Security a year ago March has resulted in the high profile IT security vendor overhauling the manufacturing and distribution of its SecurID tokens.

While RSA officials have sought to minimize the fallout from the security faux pas – pointing to the fact that it has staged a free re-issue of SecurID tokens to all its many customers – critics point out that it took the security vendor a week before it started talking to the press, and by implication, its customers, about the problem.

It then took RSA until June to reveal the technology that had been compromised by the attack, after which it started the lengthy process of re-issuing tokens to its clients. That process, though ostensibly free, has actually cost clients using the hardware tokens many millions of dollars, pounds and euros in the staff costs of handling the re-issue, as well as significant other costs. As any CFO will confirm, while there are direct and indirect costs in any business activity, both categories involve the expenditure of money.

So there we have it – 40 million affected, a late apology and the hidden costs of a fiasco that almost certainly will have cost RSA Security a sizeable number of its customers, some of whom have defected to rival suppliers, and some of whom have made the leap to tokenless and other advanced forms of authentication. And this revenue loss is before we even begin to talk about the fact that RSA Security has had to spend time and resources explaining what actually happened to its corporate clients – as well as developing new software to harden the company against further attacks and a reported seven-fold increase in the production of its tokens to cater to the replacement program.

Art Coviello, the firm's executive chairman, has gone on record as saying that his firm obviously went through a hell of a year last year. "We learned from it, and we came out stronger," he said at the start of this year.

Coviello may be relieved that a sizeable majority of RSA's customers have stayed with the company. But the damage to the firm’s reputation may come back to haunt him and his successors, as many clients are locked into the Secured technology because of already-committed technology costs.

But as new security technologies are required, many clients will quietly look elsewhere, reviewing the many technology alternatives that are available.

Last October saw RSA president Tom Heiser revealing that the March 2011 attack on his firm's systems was a two-pronged attack, rather than a single incursion, and involved a mid-hack switch of attack vectors that his IT teams were aware of while they were happening.

"These people were persistent,” he told his audience at RSA Europe in October 2011. “The remote attack was adapted to meet RSA's internal naming convention."

Despite Heiser’s platitudes to his audience, it should be remembered that he was, in the main,  speaking before clients who have been supportive of the firm’s products and services, as well as to a minority of clients whose companies are locked into RSA’s technology and must therefore learn to live with the highly expensive data breach fiasco.

It is interesting to note that security researcher Brian Krebs reported last October that the RSA hackers might have hit more than 760 firms.

“Security experts have said that RSA wasn’t the only corporation victimized in the attack, and that dozens of other multinational companies were infiltrated using many of the same tools and Internet infrastructure,” said the former Washington Post IT security journalist. “But so far, no one has been willing to talk publicly about which other companies may have been hit.”

Krebs went on to say that almost 20 percent of the top Fortune 100 companies in the U.S. have seen their IT systems compromised, with clients like AT&T (News - Alert) and BT standing out from his report. 

A year on, and a number of smaller security solution vendors are seeing RSA customers shopping around for alternative solutions rather than depending on the physical token. Here at SecurEnvoy we have seen a huge spike in demand from RSA customers looking for a change, with many now turning to tokenless two-factor authentication, which uses a mobile phone as the authentication medium.

For many organizations they are already moving over to cloud-based IT platforms, moving away from traditional 2FA makes sense for them as users remotely access their corporate server environment. Encryption of the data flowing into and out of the cloud is relatively painless and can typically be carried out at low cost, with tokenless 2FA via a mobile phone offering a complimentary and highly portable authentication system. This makes it a far more convenient option than dedicated physical tokens.

With tokenless 2FA security, when users wish to access their corporate data or cloud-based solutions remotely, they simply enter their secret PIN/passphrase into the token application running on the smartphone, which then generates a one-time passcode that the user enters into the password field on the computer. By demonstrating that they have these two factors – a secret PIN/passphrase and their smartphone – the user is securely identified.

Unlike their physical counterparts, software tokens can also assist in decreasing the total cost of ownership of the security, as they do not require any physical shipping – a crucial cost factor if the hardware token is compromised and the vendor has to re-issue the token.

Andrew Kemshall is CTO of SecurEnvoy (

Edited by Stefania Viscusi