Most of you have heard about the breach at RSA, in which SecurID token authentication implementation data was stolen.
In case you did not heard about it, click in the following link, prior to continue reading.
http://news.cnet.com/8301-27080_3-20044775-245.html
As we, as Security Professionals must design and implement identity management and authentication policies as part of our job, I believe that now, many of us need to rethink our proposed solutions.
Our main objective should be:
How to create a more resilient authentication framework?
First of all... We need to realize and accept three facts
1) Any authentication system that is 100% compromised as a result of the RSA breach is totally flawed from scratch.
2) We all learned that, but for a lot of reasons (funding, politics, restritions, time constraints) many Security Professionals lack in implement authentication and authorization methods on their security design. Time to rethink it too.
3) Old standards needs to die. Things like the usual password strength requirements don't work any more. We're living in the Internet era. Those requirements could work in the Client-Server LAN model, but not on the web.
Rather than simple password dictionary/complexity stuff, we must design our systems looking for new standards.
So, we need to look for modern authentications schemes like the ones based on entropy algorithms or really start to consider biometrics as part of our daily multi-factor authentication policies (today it's common to buy a regular notebook that comes with a biometric device embedded) but it's hard to see it deployed on enterprises as part of the authentication policy.
And, more than authentication...Authorization must be enforced.
Least privilege
Hard to maintain, yes.
But the fail to keep it can result in issues like the ones we're seeing now.
I believe we need to adjust our thinking about what authentication means once again and how to secure and enforce it once again.
Including the countermeasures.
Best Regards
Some additional interesting links:
http://www.nsslabs.com/research/analytical-brief-rsa-breach.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0322
http://www.codenamewindows.com/?tag=windows-8-modern-authentication-technology
http://www.lysator.liu.se/~jc/mthesis/
http://www.limited-entropy.com/dnie-device-auth