Since the partial compromise of RSA's SecurID two-factor authentication security product, RSA has been trying to limit the damage not only to its customers but to its business. A new story in the Wall Street Journal yesterday indicates that it is still struggling a bit in regard to the latter issue.
The WSJ article says that RSA is following its previously announced plan to swap out only about a third of the 30-40 million tokens being used by its 30,000 or so customers. The companies getting the new tokens the WSJ says are those which RSA describes as having "concentrated user bases typically focused on protecting intellectual property and corporate networks."
In addition, those organizations who are getting the new tokens, the WSJ says, are likely going to wait probably another 1 to 2 months to get them. Even when they do receive them, it frequently takes an organization a few weeks to complete the internal token replacement process. The Journal article says a number of companies are switching to new SecurID software tokens as an interim measure since they can be distributed in only a few days.
While RSA did not originally offer its banking customers new security tokens but instead increased security monitoring, news reports indicate that several major ones like Citigroup, Bank of America, Wells Fargo, JPMorgan Chase, ANZ Bank and WestPac Bank among others have asked for replacements in the past week or so. This Bloomberg News article says that if all the banks using SecurID tokens demanded them - which is unlikely - the banks' total internal distribution costs could range between $50 to $100 million.
The WSJ article also says RSA competitors are continuing to exploit the opportunity the breach has exposed. SafeNet, for example, is going to let US federal government and defense contractors to replace their RSA tokens for free SafeNet tokens. Verizon Business, which is an RSA security token reseller but also sells its own authentication products, told the WSJ that "some of its customers are now weighing the costs of replacing their tokens against ditching RSA in favor of other services."
In related security news, the Washington Post published a story Thursday reporting that the US National Security Agency (NSA), in partnership with the Department of Homeland Security (DHS), started a voluntary trial program about a month ago with the ISPs AT&T, Verizon Communications and CenturyLink to monitor email and other traffic flowing to some 15 US defense contractors in hopes of stopping cyber attacks by "foreign adversaries." Lockheed Martin, Northrop Grumman and L3 Communications were recently cyber attacked based on what was said to be information taken from the RSA SecurID breach.
The Washington Post article says that:
"The program uses NSA-developed 'signatures,' or fingerprints of malicious code, and sequences of suspicious network behavior to filter the Internet traffic ... [allowing] the Internet providers to disable the threats before an attack can penetrate a contractor’s servers. The trial is testing two particular sets of signatures and behavior patterns that the NSA has detected as threats."
However, as the Post story noted, the program cannot stop intruders who have gained access to "compromised security software [thus] enabling them to log in as if they were legitimate users." In other words, the monitoring would not have likely stopped the SecurID-related attack against Lockheed Martin and the others.
Privacy advocates have raised concerns about the program, fearing that it may eventually lead to US government surveillance of all Internet traffic. However, Deputy Defense Secretary William J. Lynn III tried to put those fears to rest, by saying:
"The U.S. government will not be monitoring, intercepting or storing any private-sector communications... Rather, threat intelligence provided by the government is helping the companies themselves, or the Internet service providers working on their behalf, to identify and stop malicious activity within their networks."
Time will tell whether this program is as benign as Deputy Defense Secretary Lynn says it is or instead is the thin edge of the wedge to future US government monitoring, intercepting and storing private-sector communications.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.