Speaking of Security – The RSA Blog and Podcast

Organizations which deploy RSA Authentication Manager (SecurID) for enforcing two-factor authentication frequently think of their RSA SecurID solution only as an additional security control to enforce strong authentication to resources. However, by analyzing the wealth of log data that is generated by RSA Authentication Manager, organizations can gain valuable intelligence that can be useful to detect attacks and perhaps even predict new attacks.

• 

Last year, I received an e-mail from one of the social networking sites I frequent, in the wake of a bulk password theft, asking me to change my password. I went ahead and did so, but I’m sure that many others did not. And some that did change their passwords may not have done so immediately. If, as an organization, you are concerned that attackers may use the credentials they have stolen to access user accounts, then time is of the essence. So you’d want to reset all passwords now.

• 

In his introduction to the Innovation Sandbox at RSA Conference, Hugh Thompson remarked on the critical role that small companies have in driving innovation. That’s certainly true and it was great to see the innovations of the 10 finalists who presented on Monday. But Hugh’s remark got me thinking about other dimensions of innovation, particularly in the light of the phenomenal range of capabilities evident in the exhibition hall at the conference.

• 

On January 30, the New York Times acknowledged that it had been a victim of a security breach. The Times claims this was the result of a long, targeted attack allegedly committed by attackers located in China to gain access to corporate email and data. Now it’s also coming out that the Wall Street Journal and Washington Post were also compromised in similar attacks for similar reasons.

• 

To understand the power of Jeremi’s cluster, we first need to understand how to guess passwords. If 348 billion guesses are made in one second then this will require (958 divided by 348 billion) seconds is required to try all possible passwords. This works out at approximately 19064 seconds or nearly 5 hours and 18 minutes.

• 

Far too often, we fail to see the obvious weaknesses in our defenses.  Over 50 million consumer passwords have been reported stolen in 2012 alone in highly visible ‘smash and grab’ attacks.  Yahoo, LinkedIN, Zappos, eHarmony…the list goes on.   This is the equivalent of robbery in broad daylight.  How did we as an industry let [...]

• 

We’ve all heard of Personally Identifiable Information or PII (social security number, drivers license number, birth dates) and Protected Health Information or PHI (medical diagnosis codes, medical history), but have you heard of Personal Password Information or PPI? No?

• 

Advanced Threats are deeply impacting the way we develop secure products by fundamentally changing our working assumptions. We used to design and develop products to be attack resistant assuming that the environment where they will be deployed may be compromised. We now have to develop and design products assuming that every system in the customer environment, in the development environment and in the supply chain may be compromised.

• 

We can reinforce them with other form factors and can use multi-factor authentication in many places, but we have passwords all over the place and that is basically not going to change for the foreseeable future. Something must be done to beef up the security of passwords in general (and of other credentials) to force the bad guys to ever greater costs and difficulty (and lower likelihood of success), and that is the spirit behind RSA’s announcement today of RSA Distributed Credential Protection. But before diving into that, let’s talk about the landscape and the problem scope.

• 

Announcing RSA Distributed Credential Protection!  Scramble, randomize and split your passwords into multiple locations.

•