Think Information. Think Security.
Days after the RSA SecureID was hacked, RSA said:

"While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers,” RSA wrote on its blog, “this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations."

Too early for that statement? RSA now stands for Right Staging Attack. With SecurID, attack is already included in what you have. Do we still need SecurID after all this?

The attack on Lockheed Martin offers important lessons for chief security officers in securing their networks.

The arms and aeronautics manufacturer confirmed this weekend that it had been the victim of a hacking attack on 21 May, described in a statement as "significant and tenacious".

Lockheed Martin was forced to shut down some employee access to deal with the attack, but claimed that the raid was ultimately unsuccessful.

"As a result of the swift and deliberate actions taken to protect the network and increase IT security, our systems remain secure; no customer, program or employee personal data has been compromised," the company said.

"Our policies, procedures and vigilance mitigate the cyber threats to our business, and we remain confident in the integrity of our robust, multi-layered information systems security."

What the company did not reveal was the attack vector, which is widely believed to be the RSA SecureID token system.

RSA admitted being successfully attacked in March, and there have since been growing concerns in the IT security industry that the two-factor authentication tokens could have been compromised.

RSA garnered praise from some for coming clean about the attack itself, but has remained worryingly quiet ever since. There are fears that the core technology behind its SecureID system has been partially or fully compromised.

The SecureID system has dominated the market in two-factor authentication for many years, and it is the mainstay of many organisations' security strategies.

Regardless of whether or not the SecureID technology has been compromised, relying on any one system too heavily is poor practice, according to Eve Maler, principal analyst at Forrester Research.

"There are a number of companies we see who are maybe too over-engineered around a single security system," she told

"Industry has to beware of the monoculture that some of them have got into, and maybe this will spur a little diversity in the market. That's not so good for RSA, but good for us."

Maler pointed out that a dominant standard can lead to security problems in the long run, because it gives a hacker the largest possible target area, as the PC industry has seen with Windows. Companies need to explore other options, she said, and take a more layered approach to security architectures.

A lot of companies in the financial sector are now looking at risk-based authentication as a security model to add to their existing systems, and the technology is "very complementary" in other areas, according to Maler.

Risk-based authentication analyses the subject's behaviour based on past actions and existing threat models before assigning a risk level.

Software tokens on handsets are also an option to augment or replace hardware authentication. However, they are seen by some as less secure, and are not popular in sectors that place the highest premium on security, such as government.

It seems that Lockheed Martin, one of the world's biggest armaments companies, had the resources to fend off this attack.

But the incident will prompt a lot of enterprise chief security officers to consider upgrading their own security arsenals in response.

Editor's Note: Cross post from

Leave a Reply.