RSA is offering to replace virtually all 40 million SecurID token currently in use at major corporations worldwide, after acknowledging that a recent security breach at US defence contractor Lockheed Martin used information gleaned from a successful hack of RSA data in March.
RSA disclosed in March that it had detected a "very sophisticated cyber attack" on its systems, and that certain information related to the RSA SecurID product - which is widely used by banks and major corporations around the world to protect their internal and customer-facing systems - had been extracted.
At the time, RSA said it was "confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers".
However, late last week, RSA confirmed that the information taken in March had been used as an element of an attempted broader attack on Lockheed Martin, a major US government defence contractor.
Other weapons manufacturers are also rumoured to have faced similar attacks, with Northrop Grumman suspending all remote access to its network last week.
In an open letter to customers, RSA chief Art Coviello is now offering to replace SecurID tokens "for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks".
In addition, he says, the company will work with customers to "implement risk-based authentication strategies for consumer-focused customers with a large, dispersed user base, typically focused on protecting web-based financial transactions".
Here's the full text of the RSA letter:
To Our Customers:
On March 17, 2011, RSA publicly disclosed that it had detected a very sophisticated cyber attack on its systems, and that certain information related to the RSA SecurID® product had been extracted. We immediately published best practices and our prioritized remediation steps, and proactively reached out to thousands of customers to help them implement those steps. We remain convinced that customers who implement these steps can be confident in their continued security, and customers in all industries have given us positive feedback on our remediation steps.
Certain characteristics of the attack on RSA indicated that the perpetrator's most likely motive was to obtain an element of security information that could be used to target defense secrets and related IP, rather than financial gain, PII, or public embarrassment. For this reason, we worked with government agencies and companies in the defense sector to replace their tokens on an accelerated timetable as an additional precautionary measure. We will continue these efforts.
Over the past several weeks, an unprecedented wave of cyber attacks against varied and high-profile targets such as Epsilon, Sony, Google, PBS, and Nintendo have commanded widespread public attention. These attacks are totally unrelated to the breach at RSA, but point to a changing threat landscape and have heightened public awareness and customer concern.
Against this backdrop of increasingly frequent attacks, on Thursday, June 2, 2011, we were able to confirm that information taken from RSA in March had been used as an element of an attempted broader attack on Lockheed Martin, a major U.S. government defense contractor. Lockheed Martin has stated that this attack was thwarted.
It is important for customers to understand that the attack on Lockheed Martin does not reflect a new threat or vulnerability in RSA SecurID technology. Indeed, the fact that the only confirmed use to date of the extracted RSA product information involved a major U.S. defense contractor only reinforces our view on the motive of this attacker.
We remain highly confident in the RSA SecurID product as the leading multi-factor authentication solution and we also feel strongly that the specific remediations we have provided to customers will help to deliver the highest levels of customer protection. However, we recognize that the increasing frequency and sophistication of cyber attacks generally, and the recent announcements by Lockheed Martin, may reduce some customers' overall risk tolerance.
As a result, we are expanding our security remediation program to reinforce customers' trust in RSA SecurID tokens and in their overall security posture. This program will continue to include the best practices we first detailed to customers in March, and will further expand two offers we feel will help assure our customers' confidence:
* An offer to replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks.
* An offer to implement risk-based authentication strategies for consumer-focused customers with a large, dispersed user base, typically focused on protecting web-based financial transactions.
We will continue to work with all customers to assess their unique risk profiles and user populations and help them understand which options may be most effective and least disruptive to their business and their users.
RSA's technologies, including RSA SecurID authentication, help protect much of the world's most critical information and infrastructure. The threats to digital information continue to escalate. As the leader in authentication solutions, our goal is to ensure that this growing threat environment does not impede the tremendous potential and opportunity of a trusted digital world. We believe that SecurID is the most powerful multi-factor authentication solution in the industry.
We will continue to invest heavily in both our SecurID and our risk-based authentication technologies. We will provide additional factors for strong authentication. We will integrate these solutions with our cybercrime intelligence to better identify suspicious behavior targeted at networks, transactions and user sessions. We will ensure that these technologies provide trusted access to virtual and cloud computing resources, leveraging our Cloud Trust Authority. And we will help customers more effectively create the kinds of layered defense capabilities essential to combat today's advanced threats by drawing on our broad portfolio of data loss prevention, security event management, deep packet inspection technologies, and our extensive services expertise.
Our customers remain our first priority.
Art Coviello
Executive Chairman, RSA