Lessons From the RSA Breach

By Stephen Bell

October 04, 2011CSO — In the world of ICT security "the fundamental threat landscape has changed" -- again -- in the past 18 months, says Andy Solterbeck, Australia-NZ general manager for security specialist RSA.

Embarrassingly, in March this year, RSA's own network was breached by an advanced attack, combining "social engineering" -- falsely gaining the confidence of employees -- with phishing, malware-infected emails and "privilege escalation" -- the attacker posing as one of the targeted personnel was able to use their network privileges to gain access indirectly to highly secure parts of the network.

RSA, which sells the SecurID two-factor authentication system, is convinced the attack came from a "nation-state actor"; an agency of government in an overseas country, says Solterbeck.

As evidence for this he cites the sophistication and probable resource requirements to launch what RSA describes as an "advanced persistent threat", and the fact that the information gained in the penetration of RSA's network was used to mount an attack on defence contractor Lockheed Martin later in the year -- an attack, that was unsuccessful, Solterbeck emphasises.

It was part of "a fairly broad set of attacks against the defence-contracting community, where they were going after intellectual property. That gives you a pretty good indication as to what the orientation of that initial attack was," he says.

Security attacks were originally done chiefly to demonstrate skill and score points in the hacker community. In the past few years, the dominant motive has been financial - seeking, for example, to steal credit-card numbers. The more recent involvement of nation states and discontented groups proceeding from political motives marks another major change of target, he says.

Organisations can do a lot to meet threats even when they apparently come from such powerful entities as governments, he says, by changing their approach to protection.

RSA is boosting its capabilities and offerings to the market in several areas. "The first is analytics and forensics; the ability to understand at a packet and session level, what's going on in the network; so you can firstly understand what's happening that's not normal; and then if you are breached, you have the ability to replay the attack; to understand what just occurred."

The rumour is that the RSA attackers may have gained access to a random-number "seed", which would have allowed them to generate valid SecurID authentication tokens. RSA immediately offered to recall and reissue customer tokens, and many customers took advantage of that offer.

RSA now knows what the attackers did get. "Unfortunately, we're not allowed to share that," says Solterbeck.

RESOURCE CENTER