If security vendor RSA can be successfully attacked by hackers, what does that mean for the rest of us?

That’s the bottom line reality of last week’s “broad” and “sophisticated” attack on EMC’s RSA security unit – which apparently also breached the security of its SecurID tokens (see picture), potentially broadening the impact to millions of additional users.

Complete details of the attack have yet to be released, but the attack apparently was on databases associated with the company’s popular security device, which issues one-time passwords or “tokens” that when associated with a user name and yet another password allow users to access corporate networks and applications. While acknowledging the attack, RSA has also downplayed the impact, including a letter from Executive Chairman Art Coviello that said:

While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.

RSA SecurID’s so-called “two-factor” authentication process is miles ahead of most end user security log-in processes, which typically revolve around an often-easy-to-decipher password such as the user’s name or even the phrase “password” itself.

Speculation has centered on the fear that hackers may have swiped RSA’s “root seed file,” which would potentially render its SecurID devices vulnerable and cause companies to replace the secure tokens.

So how does this impact Internet Service Providers and their customers? A few things come to mind:

- If an ISP is reselling SecurID tokens to its business customers, it’s likely they’re already knee-deep in this quagmire. RSA has held conference calls with its customer base and huddled with the government (including the Pentagon) and large corporate users, but for smaller ISPs and businesses the issue is a bit cloudy at present. Work with your customers and employees to inform them of the dangers and keep an eye on odd network security activity.

- Realize that ISPs are among a group of companies – including security companies, software makers and networking companies – that will increasingly be the target of the type of highly-sophisticated “advanced persistent threat” attacks that RSA faced. The security of your customers is only as good as your own internal security systems and processes.

- The RSA attack, while potentially reducing the effectiveness of its two-factor authentication product, actually re-emphasizes the need for sophisticated authentication processes – not only for PCs and laptops but increasingly for connected devices like smartphones and tablets.

- Encourage your users to implement tough-to-crack passwords and avoid social engineering efforts to steal their data. The SecurID users most vulnerable post-attack include those that chose passwords with simple digit strings, such as “12345.” And while an attack on an authentication database is news-worthy, every day phishing attacks that seek out user passwords on an individual basis leave every user open to attack if they aren’t careful with whom they share their authentication data.