Published: April 4, 2011
On Friday, RSA Security held an analyst conference to provide more details on the recent security breach and subsequent investigation. RSA provided a bit more detail on the "Advanced Persistent Threat" (APT), the actual root cause of the security breach. Apparently, cyber criminals did a lot of intelligence gathering on specific RSA employees. It appears that the bad guys gained network access through HR, by sending bogus e-mails to RSA employees with the subject, "2011 Recruiting Plan." When users clicked on this Excel spreadsheet, it launched a 0-day exploit which compromised their systems. From there it was a matter of grabbing credentials, scanning the network, finding particular servers, and then exfiltrating the source code.
RSA explained that once the attack was in progress, its security systems were able to detect anomalous behavior. This led to the discovery of the breach and a succession of internal CERT activities and external communications.
We still don't know a lot of details about the event and we aren't likely to know them for a while. RSA has to be careful to balance short term disclosure with its on-going investigation and cooperation with domestic and international law enforcement. Unfortunately, this lack of clarity has led to a cacophony of speculation, rumors, and misinterpretation about what happened and why. It also exposed a general lack of understanding about IT security. Alarmingly, some of this lack of understanding comes from the analyst and even the IT user community. Let me provide a few examples:
Okay, so before I get off my high horse, let me wrap with a few points. Cyber security is not a technology problem alone so any vendor, blogger, or analyst that tells you that it could have prevented the RSA attack with its security tools either doesn't understand IT security or is lying. The bad guys know how to pull the end-around any individual system.
Finally, if RSA suffered a security breach, anyone can suffer a security breach. Why aren't we paying more attention to this problem and demanding more comprehensive (i.e., education, federal funding, research, legislation, etc.) action?
Seems to me that we will remain aloof until the lights go out for a few months-shame on us if this happens.
You can read Jon's other blog entries at Insecure About Security.
*All views and opinions expressed in ESG blog posts are intended to be those of the post's author and do not necessarily reflect the views of Enterprise Strategy Group, Inc., or its clients. ESG bloggers do not and will not engage in any form of paid-for blogging. Click to see our complete Disclosure Policy.