Friday evening, long after myself and most of the country shut down work for the holiday weekend, my phone beeped to alert me that I had new email. It was news that Lockheed Martin had been breached, which was a result of the RSA breach involving SecurID back in March.
Oh dear, I thought. This is not good. But it shouldn't have been a surprise to anyone that it happened. NSS Labs blogged about the potential problems stemming from the RSA breach back on March 18:
This was a strategic move to grab the virtual keys to RSA's customers-who are the most security conscious in the world. One or several RSA clients are likely the ultimate target of this attack. Military, financial, governmental, and other organizations with critical intellectual property, plans and finances are at risk. Coviello suggested this by saying "this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack."
Lockheed Martin and the Department of Homeland Security said that the breach was caught quickly and it appears no data was stolen. That's the good news.
The bad news is a second defense contractor, L-3, was hit.
In his blog, Bit9 CTO Harry Sverdlove wrote that reports suggest a keylogger was used in the Lockheed Martin attack, and if that is true, the efforts to improve password access to defense contractors aren't going to make a difference. Sverdlove wrote:
If the reports are true, and a keylogger was used in the attack, it wouldn't matter if Lockheed Martin had required 20 passwords-all of them would be compromised by the same initial infiltration.
How did the keylogger get installed in the first place? It has been suggested that the attack came from a remote system that connected to their network via a VPN. This would not surprise me. If you are going to attack a secure network, your best bet is to go after its most vulnerable endpoints, which often means remote machines or computers connecting from a sub-contractor, where the systems are not under the direct control of the target's security department.
Thom VanHorn, vice president of global marketing for Application Security, Inc., explained to me today why we have to take these breaches seriously. He told me:
It's not news that networks are being breached every day. When someone breaches a network, they are not just there to surf, they are ultimately after the sensitive information contained in that database. In this case, it was most likely sensitive defense information. This clearly illustrates that perimeter security is not enough, and database activity must be monitored to ensure that data does not get into the wrong hands.
Chris Ensey, SafeNet, posted the following tips to help those affected by the recent (or any) breaches: