EMC said that its RSA unit was hit with a “sophisticated cyber attack” that swiped information related to its SecurID tokens.
Art Coviello, head of RSA, said in an open letter to customers:
Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA. We took a variety of aggressive measures against the threat to protect our business and our customers, including further hardening our IT infrastructure. We also immediately began an extensive investigation of the attack and are working closely with the appropriate authorities.
Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSA’s systems. Some of that information is specifically related to RSA’s SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.
We have no evidence that customer security related to other RSA products has been similarly impacted. We are also confident that no other EMC products were impacted by this attack. It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.
For customers, EMC and RSA recommend that customers do the following:
Affected Products:
The affected products are RSA SecurID implementations.
Overall Recommendations:
- RSA strongly urges customers to follow both these overall recommendations and the recommendations available in the best practices guides linked to this note.
- We recommend customers increase their focus on security for social media applications and the use of those applications and websites by anyone with access to their critical networks.
- We recommend customers enforce strong password and pin policies.
- We recommend customers follow the rule of least privilege when assigning roles and responsibilities to security administrators.
- We recommend customers re-educate employees on the importance of avoiding suspicious emails, and remind them not to provide user names or other credentials to anyone without verifying that person’s identity and authority. Employees should not comply with email or phone-based requests for credentials and should report any such attempts.
- We recommend customers pay special attention to security around their active directories, making full use of their SIEM products and also implementing two-factor authentication to control access to active directories.
- We recommend customers watch closely for changes in user privilege levels and access rights using security monitoring technologies such as SIEM, and consider adding more levels of manual approval for those changes.
- We recommend customers harden, closely monitor, and limit remote and physical access to infrastructure that is hosting critical security software.
- We recommend customers examine their help desk practices for information leakage that could help an attacker perform a social engineering attack.
- We recommend customers update their security products and the operating systems hosting them with the latest patches.
For RSA product-specific recommendations, please follow the links below to the Security Best Practices Guides for each product. If you are unable to access the files via RSA SecurCare, please contact support at:
U.S.: 1-800-782-4362, Option #5 for RSA, Option #1 for SecurCare note
Canada: 1-800-543-4782, Option #5 for RSA, Option #1 for SecurCare note
International: +1-508-497-7901, Option #5 for RSA, Option #1 for SecurCare note
