The Defense Industry Cyber Attacks – What to do after the dust settles

The Defense Industry Cyber Attacks – What to do after the dust settles

Chris EnseyJune 3, 2011, 12:59 pm

In my post last week I discussed the breach that has occurred as a result of the RSA seed data theft last year. I provided a few very tactical steps that should be taken by any SecurID customer that is hosting sensitive or mission critical data. This week, the dust is settling, and more information has surfaced, I felt it was the right time to talk strategically. If I were in the shoes of any organization dealing with a potentially untrusted OTP platform, what would I do? What are the best steps to safeguard from future leakage of seed data, as this could happen again? What technologies should I be looking at if not OTP?

Given the scenario highlighted in the recent breach (and subsequent reported breaches), the reports that are available do indicate that the network administrators addressed the problem as fast as they could by shutting off remote access and putting plans in place to trade out tokens for newly generated units. There hasn't been public disclosure on what tokens they will be using or any other mitigating actions, but I would offer a few recommendations:

1.) Current network administrators have to consider the tokens issued prior to the breach as threats to their network. It is a no brainer in the near term to get new tokens, but it still leaves customers open for additional risk down the road. Given the potential for additional theft of the seed data, customers may be revisiting this fire drill again in the near future. Some OTP platforms can be inflexible and customers fear that a migration is a pain filled process. In the near term, customers can trade tokens for tokens but should migrate to platforms that provide them better migration capability and technology flexibility.

2.) Moving from vendor controlled OTP product to a customer controlled authentication platform: It is not enough to just buy a token and rely on the vendor to guarantee you are protected. Network Administrators guarding sensitive data must take ownership of their authentication management and OTP issuance. This removes the risk associated with vendor managed solutions. Many OTP vendors maintain databases of serial and seed values to ease in customer service calls, authenticator replacement and inventory management. Customers should migrate to solutions which put them in control, offering capabilities like self provisioning and deprovisioning of tokens. Some solutions even include brokering capability allowing the organization to phase in new technologies, leverage different form factors and integrate with many remote access solutions.

3.) Strengthen protection with certificate based authenticators: Securing data associated with our national security and defense industry cannot be taken likely. While OTP provides a very good solution for remote access for some organizations, it is not the only option out there and there are certainly more secure alternatives. The higher the sensitivity of the data the greater need for stronger forms of authentication. Government directives such as HSPD-12 drive us down the paths of certificate based solutions that include hybrid tokens which also have OTP capability. Certificate based implementations will include hardware-based key lifecycle management from generation, verification, storage, and backup.

As we have seen, this is a repeatable attack. Take immediate action, but focus on a migration path that leads to a more secure remote access solution rather than just more of the status quo. Everyone knows that there will be some near term pain involved in switching out vulnerable tokens, but the wise traveler plans for the road ahead. My advice… treat this unexpected event as an opportunity to prepare your organization for the future.