Author(s): Jon Oltsik

Published: April 4, 2011

RSA Reveals More Details About Its Security Breach

On Friday, RSA Security held an analyst conference to provide more details on the recent security breach and subsequent investigation. RSA provided a bit more detail on the "Advanced Persistent Threat" (APT), the actual root cause of the security breach. Apparently, cyber criminals did a lot of intelligence gathering on specific RSA employees. It appears that the bad guys gained network access through HR, by sending bogus e-mails to RSA employees with the subject, "2011 Recruiting Plan." When users clicked on this Excel spreadsheet, it launched a 0-day exploit which compromised their systems. From there it was a matter of grabbing credentials, scanning the network, finding particular servers, and then exfiltrating the source code.

RSA explained that once the attack was in progress, its security systems were able to detect anomalous behavior. This led to the discovery of the breach and a succession of internal CERT activities and external communications.

We still don't know a lot of details about the event and we aren't likely to know them for a while. RSA has to be careful to balance short term disclosure with its on-going investigation and cooperation with domestic and international law enforcement. Unfortunately, this lack of clarity has led to a cacophony of speculation, rumors, and misinterpretation about what happened and why. It also exposed a general lack of understanding about IT security. Alarmingly, some of this lack of understanding comes from the analyst and even the IT user community. Let me provide a few examples:

  1. The breach was the result of a technology problem. It's an overused cliche but IT is about people, processes, and technologies-not just technologies. Since people are the weakest link in the security chain (another appropriate cliche), cyber criminals have learned to exploit people as part of their attacks. Once a user's system is compromised, it can act normally for days, weeks, or months before launching an attack. Before the trendy term "APT," we used to call these "low-and-slow" attacks. My point here is that normal behavior looks normal so security technologies have nothing to catch until the actual exfiltration takes place.
  2. RSA should have used its anti-fraud technology to detect the attacks in real-time. This one makes sense except for the fact that the anti-fraud software was designed for a completely different and specific threat-financial fraud. Yes, there may be some anti-fraud functionality that would have helped but this is like saying that an airplane's auto pilot technology would help increase automotive safety. Apples and oranges. Should users be forced to re-authenticate every time they download an executable? Yeah, try selling that process to a line-of-business manager. Any authentication or white listing technology that gets in the way of user productivity will have a short lifespan.
  3. RSA's lack of employee training was at fault. Clearly some employee was duped into clicking on a malicious download but before we throw stones here it is important to dissect this a bit further. The e-mail didn't have a generic subject like like, "I love you," rather it was a targeted attack aimed at HR people with an appropriate business process subject, "2011 Recruitment Plan." The e-mail likely came from a known or at least "trusted" source. You can train people all you want but when an e-mail looks like it comes from a friend or colleague, someone will open a malicious attachment.

Okay, so before I get off my high horse, let me wrap with a few points. Cyber security is not a technology problem alone so any vendor, blogger, or analyst that tells you that it could have prevented the RSA attack with its security tools either doesn't understand IT security or is lying. The bad guys know how to pull the end-around any individual system.

Finally, if RSA suffered a security breach, anyone can suffer a security breach. Why aren't we paying more attention to this problem and demanding more comprehensive (i.e., education, federal funding, research, legislation, etc.) action?

Seems to me that we will remain aloof until the lights go out for a few months-shame on us if this happens.

You can read Jon's other blog entries at Insecure About Security.

Comments

RSA swears customers to secrecy in exchange for ha April 6, 2011, 10:57 AM

[...] Jon Oltsik, senior principal analyst at Enterprise Strategy Group, says he did sign an NDA. “Let me put it this way, I learned a little more,” he says, adding that as an analyst, he doesn’t know whether he heard the same discussion RSA is sharing with its customers. He notes RSA is starting to discuss the topic of the break-in more. “We’re in uncharted waters. They’re trying to be cautious.” [...]

RSA sum SecurID penetrate to business sworn to sec April 6, 2011, 11:12 AM

[...] Jon Oltsik, comparison principal researcher during Enterprise Strategy Group, says he did pointer an NDA. "Let me put it this way, we schooled a small more," he says, adding that as an analyst, he doesn't know either he listened a same contention RSA is pity with a customers. He records RSA is starting to plead a subject of a break-in more. "We're in uncharted waters. They're perplexing to be cautious." [...]

Post a Comment
  • Leave this field empty
Please Enter Correct Verification Number

*All views and opinions expressed in ESG blog posts are intended to be those of the post's author and do not necessarily reflect the views of Enterprise Strategy Group, Inc., or its clients. ESG bloggers do not and will not engage in any form of paid-for blogging. Click to see our complete Disclosure Policy.

Phone:
508-381-5166

E-mail

Jon Oltsik is an ESG senior principal analyst and the founder of the firm’s information security service. With over 25 years of technology industry experience, Jon is widely recognized as an expert in all aspects of information security and is often called upon to help customers understand a CISO's perspective and strategies. Recently, Jon has been an active participant with cybersecurity issues, legislation, and technology within the U.S. federal government.

Full Biography

NEWSLETTER

Enter your email address, and click subscribe