What SMBs Can Learn from the RSA Security Breach

Paul Mah

RSA, the security division of EMC Corp, has furnished additional details about the security breach that resulted in the theft of information related to its SecurID products. RSA has billed what took place as an "extremely sophisticated cyber attack" at that time, even as observers questioned whether its SecurID two-factor authentication technology had been effectively compromised.

 

Dropping the company's veil of silence to date on the matter, Uni Rivner, head of new technologies, consumer identity protection at RSA has retraced the various stages of the security breach in a blog entry titled: "Anatomy of an Attack." This is commendable since few enterprises are willing to divulge such information. Before we ask if there is anything that SMBs can learn from the security breach though, let us first take a look at what actually happened:

 

  • Spear phishing campaign was initiated, which saw two emails being sent over a two-day period to small groups of low/mid profile targets.
  • One of the employees was enticed by the subject line of "2011 Recruit Plan" and opened its attached spreadsheet, which was titled "2011 Recruitmentplan.xls."
  • Spreadsheet was embedded with a Flash attachment that exploits a new (zero-day) security vulnerability to install a backdoor in the form of a remote administration tool.
  • Attackers performed digital "shoulder surfing" using the remote administration tool for a path to more valuable assets. Access to high-value strategic users were sought and eventually obtained.
  • Data relating to SecurID was ultimately accessed and siphoned out via FTP to another compromised machine on the Internet. The files are subsequently erased in a bid to obfuscate the attackers' tracks.

 

Unfortunately, nothing short of the implementation of advanced IDS or IPS will have any realistic chance of detecting the advanced persistent threats (APT) highlighted here. Even then, the presence of a dedicated and trained employee is required to detect and initiate steps so as to halt (or blunt) an ongoing attack. Given that smaller SMBs are unlikely to find these appliances (or security-trained staff) affordable, what are some steps they can take to reduce their exposure?

 

I have a couple of suggestions.

 


Training Against Phishing Not Optional

 

It is to the as-yet unidentified hackers' credit that their spear-phishing campaign took a mere two days to yield the desired results. The fact that the selected targets were not high-level executives who might get suspicious and sound the alarm underscores the relevance and urgency of conducting security training on all levels of the company. This will help guard employees against falling prey to social engineering, either giving away crucial information or performing actions that can be leveraged to break into the corporate network.

 

The Importance of Software Updates

 

The attackers in this instant utilized a new, previously unknown exploit in order to break into a workstation in RSA's network. While SMBs should not discount the possibility of the same happening to them, why leave the door open by having workstations run out-of-date or unpatched software?

 

Finally, you might also want to read a related blog that I wrote recently on how hackers target SMBs.



Add Comment      Leave a comment on this blog post

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.