RSA, the security division of EMC Corp, has furnished additional details about the security breach that resulted in the theft of information related to its SecurID products. RSA has billed what took place as an "extremely sophisticated cyber attack" at that time, even as observers questioned whether its SecurID two-factor authentication technology had been effectively compromised.
Dropping the company's veil of silence to date on the matter, Uni Rivner, head of new technologies, consumer identity protection at RSA has retraced the various stages of the security breach in a blog entry titled: "Anatomy of an Attack." This is commendable since few enterprises are willing to divulge such information. Before we ask if there is anything that SMBs can learn from the security breach though, let us first take a look at what actually happened:
Unfortunately, nothing short of the implementation of advanced IDS or IPS will have any realistic chance of detecting the advanced persistent threats (APT) highlighted here. Even then, the presence of a dedicated and trained employee is required to detect and initiate steps so as to halt (or blunt) an ongoing attack. Given that smaller SMBs are unlikely to find these appliances (or security-trained staff) affordable, what are some steps they can take to reduce their exposure?
I have a couple of suggestions.
Training Against Phishing Not Optional
It is to the as-yet unidentified hackers' credit that their spear-phishing campaign took a mere two days to yield the desired results. The fact that the selected targets were not high-level executives who might get suspicious and sound the alarm underscores the relevance and urgency of conducting security training on all levels of the company. This will help guard employees against falling prey to social engineering, either giving away crucial information or performing actions that can be leveraged to break into the corporate network.
The Importance of Software Updates
The attackers in this instant utilized a new, previously unknown exploit in order to break into a workstation in RSA's network. While SMBs should not discount the possibility of the same happening to them, why leave the door open by having workstations run out-of-date or unpatched software?
Finally, you might also want to read a related blog that I wrote recently on how hackers target SMBs.