The security and business world is reeling from the news that attackers managed to breach the information systems...
of security firm, RSA.
While the security division of EMC immediately notified customers that a breach had taken place, public details of exactly what was stolen, how, and when have been thin, giving rise to a plethora of speculation by analysts and competitors.
In an open letter to customers, RSA said only that information had been stolen and that some of it relates to RSA's SecurID two-factor authentication products. No indication has been given about what other information was stolen beyond that it was not customer or employee personally identifiable information.
Art Coviello (above), executive chairman of RSA, was quick to tell customers that the information extracted did not enable a successful direct attack.
But he went on to say that the stolen information "could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack," which has given rise to even more speculation.
Critics of the way the breach has been handled have called for more information about what was stolen, but SecureID customers have all the information they need to keep their systems secure, RSA told Computer Weekly.
Levels of exposure
What few, if any reports around the breach have highlighted is that RSA has been sharing details of exactly what has been stolen and how that may be used by attackers with customers under non-disclosure agreements based on their specific exposure.
This approach was absolutely necessary, says RSA, because intensive investigations into the attack are still underway and the company is keen not to reveal any information that could be useful to the attackers.
RSA rejects the contention that the attack proves that the token-based two-factor authentication model is broken. There are ways around every security control, say senior executives, but claim there is still no stronger model than RSA's.
Those who understand how RSA SecureID implementations really work, they say, understand that while the threat is serious, it is not catastrophic and that there is no need to panic.
There are six elements that make up RSA SecureID deployments, three of which are never under RSA's control, which, RSA says, makes it extremely difficult for any attacker to exploit. Even if all RSA's databases were compromised, it would be extremely unlikely that an attacker would be able to link a personal identification number, token and user identity.
If the attacker had a token serial number, the only way it would be usable is if it could be linked to a user ID, but says RSA, it is extremely unlikely that the attacker would be able to find a match among an almost infinite number of combinations within the three attempts the RSA systems allow, and all attempts to do so will trigger alerts.
A third way attackers could hypothetically use compromised information would require a brute force attack on the authentication manager system, but this is also extremely difficult, says RSA, as it would mean first getting into the system and then being able to decrypt the Pins and the specific implementation key and then being able to link that to a token code.
No-one is immune from APT threats
The important take away for customers and non-customers alike is that no organisation, not even RSA, is immune from APT threats.
Coviello said investigations had revealed that the attack was in the category of an advanced persistent threat (APT). As such, senior RSA executives emphasise that the attack was highly targeted at the SecureID, and was a general systems attack that did not compromise any RSA technologies or exploit any single point of failure.
The IT security community is recognising that APTs are specifically constructed to subvert installed security defences. Typically, APTs are made up of a series of attacks using different techniques to probe corporate defences until they are bypassed.
He warned that APT threats are becoming a significant challenge for all large corporations.
Check out virtual risks
To identify this threat, organisations need to deploy technologies that not only identify all potential threats through behaviour analysis, but are also able to test all suspicious elements in a virtual environment, says Ashar Aziz, chief executive of security firm FireEye.
This two-phase approach has proven to be very effective in identifying APTs, Aziz told Computer Weekly, because it investigates all suspicious behaviours on a network without disrupting businesses because it eliminates all false positives.
RSA issued a list of general recommendations that organisations should follow to improve overall security defences as well as guidance on hardening their RSA implementations.
It is probably not a coincidence that many of these relate to ensuring that people within organisations adhere to good security practices, because the human element remains one of the weakest links in IT security defences, says John Walker, member of the security advisory group of the London chapter of ISACA.
"As leaders in security RSA will have very credible systems in place, but at the end of the day, every organisation has to employ people, and the minute you invite someone into your organisation, you invite potential risk," he says.
Hackers use social engineering
Social engineering, says RSA, while still not simple, is probably the best tool an attacker has at their disposal as humans, end users or administrators can always be tricked into handing over Pins, tokens or serial numbers.
Walker points out that in all the best-known spy cases in the world, every spy has typically had top-level clearance to get close to the information they want.
"I am sure RSA has done all the right things, but I would suspect there was some internal collusion going on here, which is an area that is very difficult to manage," he says.
While shocking, Walker says this data breach should not be a black mark against RSA, but is an indication that the genie is well and truly out the bottle and that organisations can no longer afford to ignore the threat of APTs.