RSA Breach: 'Not a Game-Changer'
Stephen Northcutt of SANS Institute on What RSA Hack MeansEven with some details of the attack now available, RSA customers are left to weight the potential risk of compromise. "If someone was able to intercept your password, but not physical token," Northcutt says, is it possible they could deduce the two-factor authentication digits and complete the log in? That's the question everyone has got to answer one way or another over time."
In an exclusive interview, Northcutt discusses:
- style='margin-left:200px'
- What we know about the RSA announcement;
- What this news means to the global information security industry;
- Counter-measures organizations can employ to ensure defense in depth.
Northcutt is CEO of the SANS Technology Institute, a postgraduate level IT security college, and an acknowledged expert in training and certification. He founded the Global Information Assurance Certification (GIAC) in 1999 to validate the real-world skills of IT security professionals. GIAC provides assurance that a certified individual has practical awareness, knowledge and skills in key areas of computer and network and software security.
Northcutt is author/coauthor of Incident Handling Step-by-Step, Intrusion Signatures and Analysis, Inside Network Perimeter Security 2nd Edition, IT Ethics Handbook, SANS Security Essentials, SANS Security Leadership Essentials and Network Intrusion Detection 3rd edition. He was the original author of the Shadow Intrusion Detection system before accepting the position of Chief for Information Warfare at the Ballistic Missile Defense Organization.
TOM FIELD: Steve, to start with, what do we think we know about RSA's announcement?
STEPHEN NORTHCUTT: Well, we know for sure that it's a minimal amount of information. They've done what they need to do to be square with the Security Exchange Commission, but they haven't given any details. We don't know what was taken, how long the advanced persistent threat was present, what was detected. Any of the details that help you really come to a significant analysis of the situation, we do not know.
FIELD: And we've got to assume if we're just finding this out now, RSA has known for some time, and likely some of their customers have known for some time. What's the information we need to have?
NORTHCUTT: Well, it comes down to what is the potential risk of compromise of the RSA two-factor authentication? That if you're using it, for instance, for online banking, you type in your password and then you look at your RSA dongle and there are the little digits and you type them in. The question - the $60 million question - is if someone was able to intercept your password, but was not able to intercept the physical token and the seed keys, the crypto keys had been exfiltrated from RSA, is it possible that they could do the two-factor authentication digits and go ahead and complete a login without physical access to a dongle? That's the question that everyone has got to answer one way or another over time.
The Scale
FIELD: Stephen, give us some perspective. How ubiquitous is the RSA Secure ID solution in organizations globally?NORTHCUTT: It's not ubiquitous, and there are other two-factor authentication methods, but it certainly is the 800-pound gorilla. When I do online banking, I particularly choose organizations that supply the dongle to have a little additional safety, because so many times I'm getting online from a hotel network or something that I know is an untrusted media. My first hope, of course, is that the https is giving me a secure tunnel between myself and my bank, but you kind of want to add a little protection. So certainly in the financials, you have a lot of RSA, and then, of course, in large organizations that have rolled out, you know, VPNs for teleworkers and whatnot, they've also selected this as a technology. It's been around a long time, and it's served a great purpose for over a decade. So granted, by definition, a lot of people are using it.
FIELD: Stephen, what is the message from RSA to its customers with this announcement in the little information that they've allowed.
NORTHCUTT: One is that there's a potential risk, and there's also a message that you and I aren't privy to, that some of their best customers they're giving information to make their systems stronger in some way. I would guess it has to do with changing seed codes. Then they have a third part to the message. It's their advice to essentially the world on what to do about access and all. It's all common sense stuff, but it's certainly is something that people should be doing. I mean, it's common sense, but good stuff to review the basics and make sure you're using your SIM to try to detect a particularly focused on active directory so that you can see if there was some credential�the implication is there was some credential stuff going on where maybe people had the same password in more than one place, that sort of a thing. All of this is definitely what we ought to be doing. So three messages, one of which you and I are not privy to.
FIELD: Put this in perspective for us if you can. Is there a precedent for an announcement like this, and what does it mean to the global information security industry?
NORTHCUTT: It's not a game changer. Anybody who says it is, they're an alarmist. Two-factor authentication is a good idea. There's more than one way to do it. You know, my laptop came with a fingerprint reader, for Pete's sake. So we do need to keep in mind that there are going to be chinks in the armor all along.
I keep reminding myself the story, just about Christmastime of breaking the PlayStation 3. Of course, I don't want to go into any details because I'll get in terrible trouble with Sony, but it had all these levels of security, and when somebody went after it methodically, they took it apart level by level by level, and amazingly enough, it was a failure of crypto in the end. Implementation of crypto, of course, not the failure of cryptography -- that was its undoing.
And what that teaches us, the real implication to the global community, is that defense in depth -- 10 years ago, we were trying to think of it as a way to keep the attacker from succeeding�and that's good; that's even wonderful. Today, I think more and more we have to come to a place mentally that the purpose of the defense in depth is to slow the attackers down. The idea that hopefully if it takes a long time, and we should never forget the "P" in the advanced persistent threat. Maybe they'll find somebody else and go extract information from them because there are only so many human operators and analysts to sift through the information. So that we still want to believe in defense in depth. I'm still going to use my RSA dongle. There's nothing that's been announced that says I shouldn't use it for online banking. But I want to keep thinking about what other compensating mechanisms I can use. And, you know, it'll probably take attackers six months or a year before they're able to really come up with a methodical attack.
One thing that I'm going to be looking for is a different two-factor authentication methodology. I know there's a number of startup companies that for two-factor, you type in your password, and they send the rest of it, the two-factor code, as a text message to your cell phone. And I'm sure that can be defeated, but pretty much as long as I'm the guy who still has the SIM to my cell phone under my physical control, that's going to be a tough one for them to beat. And so I'm going to kind of look at that as a solution.
Advice to Customers
FIELD: Stephen, a final question for you. What advice would you offer to RSA's Secure ID customers now in terms of countermeasures they can take to ensure their own security?NORTHCUTT: Don't panic. The advice that RSA has given is all good advice. And, like I say, look for one thing to add some security if you can't count on the absolute integrity of your dongle. What can you do? For instance, one of the things we've always done at SANS is use the free software tool, PuTTY, to generate soft tokens. And so, yes, I have my physical dongle, my two-factor authentication, but I also have a certificate that's present in a particular location on my laptop so as the tunnel is being built, essentially, it's three-factor authentication. And I know a lot of companies are going to be concerned about using free software and so forth, but it just makes sense to add another layer of defense if you can.