On Friday, RSA Security held an analyst conference to provide more details on the recent security breach and subsequent investigation. RSA provided a bit more detail on the "Advanced Persistent Threat" (APT), the actual root cause of the security breach. Apparently, cyber criminals did a lot of intelligence gathering on specific RSA employees. It appears that the bad guys gained network access through HR, by sending bogus emails to RSA employees with the subject, "2011 Recruiting Plan." When users clicked on this Excel spreadsheet, it launched a 0-day exploit which compromised their systems. From there it was a matter of grabbing credentials, scanning the network, finding particular servers, and then exfiltrating the source code.
RSA explained that once the attack was in progress, its security systems were able to detect anomalous behavior. This led to the discovery of the breach and a succession of internal CERT activities and external communications.
We still don't know a lot of details about the event and we aren't likely to know them for a while. RSA has to be careful to balance short term disclosure with its on-going investigation and cooperation with domestic and International law enforcement. Unfortunately, this lack of clarity has led to a cacophony of speculation, rumors, and misinterpretation of what happened and why. It also exposed a general lack of understanding about IT security. Alarmingly, some of this lack of understanding comes from the analyst and even the IT user community. Let me provide a few examples:
1. The breach was the result of a technology problem. It's an overused cliche but IT is about people, processes, and technologies -- not just technologies. Since people are the weakest link in the security chain (another appropriate cliche) cyber criminals have learned to exploit people as part of their attacks. Once a users system is compromised, it can act normally for days, weeks, or months before launching an attack. Before the trendy term "APT," we used to call these "low-and-slow" attacks. My point here is that normal behavior looks normal so security technologies have nothing to catch until the actual exfiltration takes place.
2. RSA should have used its anti-fraud technology to detect the attacks in real-time. This one makes sense except for the fact that the anti-fraud software was designed for a completely different and specific threat -- financial fraud. Yes, there may be some anti-fraud functionality that would have helped but this is like saying that an airplane's auto pilot technology would help increase automotive safety. Apples and oranges. Should users be forced to re-authenticate every time they download an executable? Yeah, try selling that process to a line-of-business manager. Any authentication or white listing technology that gets in the way of user productivity will have a short lifespan.
3. RSA's lack of employee training was at fault. Clearly some employee was duped into clicking on a malicious download but before we throw stones here it is important to dissect this a bit further. The email didn't have a generic subject like like, "I love you," rather it was a targeted attack aimed at HR people with an appropriate business process subject, "2011 Recruitment Plan." The email likely came from a known or at least "trusted" source. You can train people all you want but when an email looks like it comes from a friend or colleague, someone will open a malicious attachment.
Okay, so before I get off my high horse, let me wrap with a few points. Cyber security is not a technology problem alone so any vendor, blogger, or analyst that tells you that it could have prevented the RSA attack with its security tools either doesn't understand IT security or is lying. The bad guys know how to pull the end-around any individual system.
Finally, if RSA suffered a security breach, anyone can suffer a security breach. Why aren't we paying more attention to this problem and demanding more comprehensive (i.e. education, federal funding, research, legislation, etc.) action?
Seems to me that we will remain aloof until the lights go out for a few months -- shame on us if this happens.