At the RSA conference, executives explained its SecurID breach – but kept some details quiet
RSA revealed that the attack on its SecurID systems earlier this year was directed by two groups from the “same nation state” working in tandem. One group was fairly visible, RSA said, but the other was more covert. The aim was to cause distraction while the stealth group penetrated the system.
It was a time for reflection at the RSA Conference Europe as executives from the security division of EMC reported what they could about the attack. Art Coviello, executive chairman of RSA, pointed out the irony of the breach was that it brought validation to a strategy the company was already starting to implement.
Team’s Rapid Response
“We knew for a long time that existing perimeter defences are not effective. This was one of the reasons why we bought NetWitness [a real-time network forensics company]. It’s one of the reasons why we had that technology deployed internally at RSA – and having NetWitness did allow us to see the attack in progress and to minimise the damage. But more important, from the point of view of our customers, it let us determine exactly what was taken at a very fast rate.”
Pausing only to ensure that forensic evidence was not disturbed, RSA began to notify its customers about the breach. Tom Heiser (pictured), RSA’s president, said that a letter was posted on the Website and 17,000 partners and customers were directly contacted as soon as possible afterwards. Within a week, the company had posted a best practices document to guide customers on how to protect themselves. As it happens, Coviello said, only one customer was compromised because of the breach.
Heiser said that companies have to be prepared for attacks that are “lower and slower” – they are lower down in the system stack and the hackers take their time to avoid detection. The forensic evidence showed that two groups had been working together from the same geographical area. He added that the path tracking back to the actual sources of the hackers became too diffuse to actually be sure that the implicated country is the one directing the attack and refused to say who he thought was behind it.
“ We are very confident that with the skill and degree of resource behind the attack that it could only have been perpetrated by a nation state,” Heiser said but would go no further.
Despite reports at the time of the breach that seed values at the core of RSA’s SecurID were stolen, Coviello played this down at the press conference in London and insisted that nothing directly usable by the hackers had been stolen, adding that not many of its customers were directly affected by the incident.
Five Steps To Improved Security
There was an air of urgency in the conference keynotes. In his address about what companies should do to ensure that any attack will only cause minimum damage, Heiser said that there were five considerations.
The first was to clearly identify what data was of value to adversaries and not just what is important to the company – not necessarily the same thing. To forget about reliance on signature-based attacks because Advanced Persistent Attacks (APTs) do not follow a recognised path of behaviour.
The third point was more important because the only way to detect APTs, he said, was to monitor security systems and networks closely. For this the latest security information and event management tools should be deployed to give a “situational awareness”, Heiser said.
The fourth point was to harden authentication systems and to ensure that logons were only available to essential staff. Central directories, such as Microsoft Active Directory (AD) should be populated sparingly and any information stored should be disguised as much as possible. In the attack, the hacking groups took note of how user names were formulated and stored in AD. They replicated this form of address in creating user names and this made it more difficult to find the fake users of the system.
The final point Heiser made was that education of staff is vitally important. Use of authentication and the need to keep passwords private is always needed but guidance in the use of social networks, particularly business-oriented open directories like LinkedIn, should be given. Access to these networks ahould be barred or transferred to virtualised desktop systems which can be isolated from the business network.
The hackers are going where the richest pickings can be found. If proof were needed research from Microsoft revealed by Adrienne Hall, general manager at Microsoft Trustworthy Computing, in her keynote bore witness.
Microsoft Security Intelligence Report volume 11 (SIRv11) has just been released and it shows that in the first half of this year only one percent of attacks targeted zero day vulnerabilities. Hall said that malware distributed through social engineering and older but unpatched vulnerabilities were easier routes to valuable data.