Has IT security lost control?
The cyber theft at RSA has left the industry feeling more vulnerable than ever.
It was surprising to learn that the March 2011 cyber theft at RSA began in a similar way to the one experienced by Google in 2009. As the security solutions division of EMC, RSA is in the business of, well, IT security solutions. Google isn't.
Describing the theft as an advanced persistent threat (APT), RSA said some of the stolen information related to SecurID - a two-factor authentication product that handles IT access for 30 million users within over 30 000 companies.
APTs are ranked as the top-dogs in the cyber crime world, noted for their sophistication, co-ordination and determination. It seems the one at RSA began when info about a targeted set of employees was gathered from social media sites - as in Google's cyber robbery. The targets were then sent a spear phishing mail with an attached Excel spreadsheet, titled: '2011 Recruitment plan.xls.'
Copy cat crime
One of the targets opened the attachment - having retrieved it from their junk mail folder. Through a now-patched vulnerability in Adobe Flash, malware within the spreadsheet installed a 'backdoor' on the target's machine, allowing the villains to use it as their own. Pretty much the same as the early steps in Google's case.
Using the target's access rights, the villains climbed RSA's internal authorisations ladder, stealing more credentials and increasing the privileges associated with them in user, domain admin and service accounts. According to RSA: “They performed privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high value targets, which included process experts and IT and non-IT-specific server administrators.”
A big question for me is what were these access credentials? Weren't employees using RSA's own SecurID to authorise themselves within their own systems? Maybe not. Perhaps good old usernames and passwords were yet again at the very heart of yet another collapse in IT security.
Weren't employees using RSA's own SecurID to authorise themselves within their own systems?Mark Eardley is channel manager at SuperVision Biometric Systems.
Once the villains had the privileges they wanted, they shipped data out of RSA in a staged process, first to internal servers and then via FTP to an external server. From here the files were transferred again.
Nobody's saying exactly what they stole or what they may or may not be able to do with their loot. Who knows? Maybe they stole it for a bit of laugh.
It certainly wasn't much of laugh for RSA when it announced the cyber theft on 17 March. Concerns about a potential loss of IT security within RSA's customer base has already prompted Computer Associates to offer free - that's right, free - replacements of SecurID with their own authentication product.
Details on how the theft was executed were provided by Uri Rivner, RSA's head of New Technologies - Identity Protection.
World of war
Apart from the fact that this commentary on the cyber theft lacks reference to its 'sophistication', it interested me for other reasons. Rivner draws a parallel between APTs and U-boat 'wolf-packs', pointing out that it took several years for the Allies to devise counter-measures against the threat German submarines posed to transatlantic shipping.
He sees a similarity between the WW2 battle for the North Atlantic and the fact that RSA hasn't yet implemented measures to counter a cyber burglary that was apparently based on the abuse of antiquated access credentials.
What's incredible is that the villains were repeatedly able to steal credentials and operate as legitimate users. Passwords and PINs are known to be the most glaring security vulnerabilities in any IT system. Can it be that such a commonplace exploitation underpins the theft at RSA?
Or were they robbed by sophisticated uber-villains with no respect for access protocols that date back to the earliest days of computing. After all, this was an APT - the most advanced cyber thievery known to man. You can't possibly expect anybody to counter such a thing.
Aside from all that, there is more troubling commentary by another RSA exec, special consultant, Mischel Kwon, whose comments relate to her experience in the world of cyber security and how well RSA is managing its incident response. Of all the cyber incidents she has responded to, nothing compares to being “in the centre of such a storm”.
The storm analogy tells us - a bit obliquely - just how big a problem RSA thinks it is confronting. For someone who regards communications as “one of the most critical parts of a successful incident response”, Kwon likes to make people read between the lines a bit.
But the really instructive comments come at the end of her piece: make sure to have your own incident response plans polished-up and ready to go.
Bear in mind that Kwon is addressing SecurID customers - the very people whose IT security might be compromised by the APT: “This is also a good time for everyone to take out their incident response plans and re-evaluate the scenarios. Look at your communications plans, look at how to instil trust, look at your priorities.”
I'm also happy to add a few words of advice. Don't ever let anybody use your password or PIN. And for heaven's sake, don't store it anywhere. Don't even remember that you can't remember it. How could you remember it? You never knew it, right? Right.
As long as we all pull together as a team, we can close these gaping access loopholes. And IT security will be just fine. Just as it always has been.
* Mischel Kwon's commentary is at http://blogs.rsa.com/kwon/incident-response-done-deliberately-and-responsibly-a-company-and-community-effort/.
Mark Eardley has worked in the South African biometrics industry since 2006. He has directed the marketing for a local biometric brand and is currently responsible for business development at SuperVision Biometric Systems, South Africaâs oldest biometric specialist.