Text of RSA Letter to Clients
Vendor Issues Tips, Customer FAQMeanwhile, some customers (including Tenable Network Security CSO Marcus Ranum and UAB Medicine's Terrell Herzig) are talking about the strategies they're taking in the wake of the incident.
Following is an excerpt of the letter, as shared with Information Security Media Group by RSA customers:
Summary:
As previously reported, a recent attack on RSA's systems resulted in certain information being extracted related to RSA SecurID authentication products. This note is being provided in order to help customers further assess their risk and prioritize their remediation steps as necessary in relation to this event.RSA SecurID technology continues to be a very effective authentication solution. Whoever attacked RSA has certain information related to the RSA SecurID solution, but not enough to complete a successful attack without obtaining additional information that is only held by our customers. We have provided best practices so customers can strengthen the protection of the RSA SecurID information they hold.
Based on feedback from customers, we are issuing this follow-up RSA SecurCare note to help customers assess their risk and prioritize their remediation steps. We strongly urge you to initiate these steps immediately, if they are not already part of your environment. These remediation steps are those we have implemented across RSA's and EMC's business, with respect to our RSA SecurID authentication system.
Description:
Updated content is being provided to help customers further assess their risk and prioritize their remediation steps in relation to this event. All content is available on the RSA SecurCare website, and links to that content are provided in this note. Updated information includes:- A Customer FAQ providing answers to help customers further assess their risk and prioritize their remediation steps, if they are not already part of your environment. The FAQ is part of this document.
- Updates to our best practices guides based on customer feedback, including more detailed Log Monitoring Guidelines related to RSA Authentication Manager 6.x and 7.x implementations.
Affected Products:
The only affected products are RSA SecurID authentication products.Overall Recommendations:
RSA strongly urges customers to review all documents referenced in this note. Based on customer requests for prioritization of remediation, below are the most important remediation steps being recommended to customers:- Secure your Authentication Manager database and ensure strong policy and security regarding any exported data (see Best Practices Guides for specific instructions).
- Review recent Authentication Manager logs for unusually high rates of failed authentications and/or next token code events, both of which could indicate suspicious activity (see Authentication Manager 6.x and 7.x Log Guidelines and Best Practices Guides for specific instructions)
- Educate your help desk and end users on best practices for avoiding social engineering attacks such as targeted phishing (see Best Practices Guides for specific instructions)
- Establish strong PIN and lockout policies for all users (see Best Practices Guides for specific instructions).
If you are unable to access the files via RSA SecurCare Online, please contact support at:
- U.S.: 1-800-782-4362, Option #5 for RSA, Option #1 for RSA SecurCare note
- Canada: 1-800-543-4782, Option #5 for RSA, Option #1 for RSA SecurCare note
- International: +1-508-497-7901, Option #5 for RSA, Option #1 for RSA SecurCare note
For additional global contact numbers please reference: http://www.emc.com/collateral/contact-us/h4165-csc-phonelist-ho.pdf
See Also: Customer FAQ: Incident Overview