Feeds

RSA defends handling of two-pronged SecurID breach

'Our adversaries left information' exec says, as FBI probe continues

Internet Security Threat Report 2014

RSA Europe Two groups from the same country teamed up to launch a sophisticated attack against RSA Security's systems last March, EMC's security division said.

Unspecified information gained during the attack paved the way towards an unsuccessful attack against a defence contractor (self-identified as Lockheed Martin), senior RSA execs said during the opening of the RSA Conference in London on Tuesday.

"Two groups were involved in the attack," Thomas Heiser, RSA Security president, said during a keynote at the conference. "Both are known to authorities but they have never worked together before."

"The attack involved a lot of preparation," he added.

Forensic examination in the wake of attack on RSA's systems allowed the security arm of EMC to draw tentative conclusions about the origin and purpose of the assault on systems that underpinned its SecurID two-factor authentication technology.

RSA executive chairman Art Coviello said that "one group was very visible and one less so". Coviello declined to point the finger of blame towards any particular country but said during a later question-and-answer session that both came from the same country. "We've not attributed it to a particular nation state," Coviello said. "However with the skill and degree of resources involved it could only have been a nation state."

Coviello's comments painted a picture of the attack as a collaboration between criminal hackers and either a military or intelligence agency, even though he sidestepped a question on whether this was a correct interpretation of his remarks.

Fallout

Heiser downplayed both the impact of the attack and RSA Security's subsequent drip-drop disclosure of what exactly happened and how it had affected customers of its flagship SecurID two-factor authentication technology, which is widely used for secure remote access to corporate email or intranet applications.

"There was one attack on RSA," he said. "The information taken from the RSA attack was a vector in one other attack, which was thwarted. We know of no other attack.

"We killed the attack while it was still in progress and communicated rapidly with our customers as much as we could tell them."

Both the FBI and Department of Homeland Security are continuing to investigate the case.

"Our adversaries left information," Heiser said. "We didn't want to thwart the investigation, so for that reason we haven't disclosed everything we know."

RSA was widely criticised for its reluctance to disclose details of the assault. Even now, more than six months after the assault, it will only say that information related to SecurID was stolen. It hasn't said what was taken although it has been widely suggested that it might have been the seed database used to generate one-time codes on the devices it supplies.

RSA Security offered to supply enterprise customers with replacement tokens in response to the attack. Both Coviello and Heiser declined to say how many tokens it has replaced, although, pressed on the point, Coviello said it was a "small percentage".

During a question-and-answer session, Heiser denied accusations that many customers had been "left hanging" in the aftermath of the attack.

"We got out to our top 500 customers relatively quick. We have many thousands of other customers which we don't deal with directly, so there wasn't that that kind of hand-holding. We have to rely on our marketing press and partners," he said.

"We disclosed everything we could without putting other customers at risk," he said.

Hackers were looking for 'defence-related intellectual property'

Heiser said that RSA was a pawn in a bigger assault: "The motive was to gain access to defence-related intellectual property. RSA was not the target but a means to an end," he said.

Coviello said one of the ironies of the attack was that it validated trends in the market that had prompted RSA to buy network forensics and threat analysis firm NetWitness just before the attack. Security programs need to evolve to be risk-based and agile rather than "conventional" reactive security, he argued.

"The existing perimeter is not enough, which is why we bought NetWitness. The NetWitness technology allowed us to determine damage and carry out remediation very quickly," Coviello said.

"Organisations are defending themselves with the information security equivalent of the Maginot Line as their adversaries easily outflank perimeter defences," Coviello added. "People are the new perimeter contending with zero-day malware delivered through spear-phishing attacks that are invisible to traditional perimeter-based security defences such as antivirus and intrusion detection systems." ®

Security for virtualized datacentres

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.