When it comes to cyber attacks and hacking, passwords are in the same league as aged, indolent security guards, employed by companies that prefer a false sense of security over actual protection. Users’ habits of keeping short or simple passwords, or ones based on personal details easily found on their Facebook profiles, have caused credible organizations to lose faith in the concept of “strong password security”.
The recent security breach of Sony’s PlayStation Network highlighted that neither its customers had used strong passwords nor had the company enforced strong policies or encryption for its passwords databases. For organizations that need to protect access to their networks or systems, passwords are considered primitive means of security. To counter this, companies are considering alternatives like two-factor authentication as a much more viable and secure option.
Two-factor or multi-factor authentication provides an extra layer of security over passwords. In essence, it requires the generation of two kinds of evidence; something that user has (a token) and something that he knows (a password). Users of these solutions are often provided with hardware or software-based tokens that generate random one-time passwords after a fixed period (for example, every 60 seconds) to be used in conjunction with the standard user ID/password combination. So, even if an attacker is able to compromise a password, he would still need the token to launch an effective attack. This considerably reduces the risk of password theft. Unfortunately, while such solutions have always been seen as an effective deterrent against password-based hacks, a new way of sophisticated cyber attacks has targeted this very type of authentication and left the security industry reeling.
A security nightmare
RSA Technologies is one of the leading providers of security, risk and compliance solutions. With its SecureID line of two-factor authentication products, it has been providing token-based solutions to thousands of companies worldwide. In March 2011, RSA reported on its website that it had suffered a serious security breach in which attackers had successfully gained information about its SecureID technology. Although technical details about the incident were not disclosed, the company admitted that the stolen information could potentially be used to reduce the effectiveness of the technology and make SecurID’s authentication mechanism more vulnerable to attacks.
With customers and the security industry in uproar, RSA took steps to patch things up by offering to replace SecurID tokens for its customers, and providing additional monitoring services for financial institutions which were using these tokens for protecting Web-based financial transactions.
Considering how the attack unfolded, it is clear that the attackers planned this attack well in advance and took the time out to conclude that a subtle, but well-crafted exploit had a higher chance of success than a full-scale network attack. This is also indicative of a trend in general where attackers now use social engineering techniques like personalized e-mails and messages to evade advance defenses like firewalls and network intrusion detection systems. These subtle attacks effectively fly “below-the-radar” and allow attackers entry inside an organization.
On a separate note, this incident is a classic case that proves that no matter how many technical controls are in place, power security awareness of employees can lead to disastrous consequences. Companies that deal with sensitive information must give due importance to new types of online threats, and make sure that their employees are educated accordingly.
From the recent attacks on RSA, Sony and other industry giants, it is clear that attackers are no longer interested in just hacking banks and stealing credit card information; they have stepped up their game to target other industries as well. The attack on this premier security company is a wake-up call for many security related companies in the industry, and proves that with time, every organization’s weakness, no matter how minor, can be exploited. It is now time for companies to take a good look at the flaws in their products and the security lapses made by their staff, so that they don’t make headlines for wrong reasons.
- Two-Factor Authentication Primer (slumpedoverkeyboarddead.com)
- How companies can use voice and SMS for two-factor authentication (twilio.com)
- What the RSA breach means for you (FAQ) (news.cnet.com)
- RSA says it was targeted in “sophisticated cyberattack” (news.cnet.com)