Feeds

RSA defends handling of two-pronged SecurID breach

'Our adversaries left information' exec says, as FBI probe continues

3 Big data security analytics techniques

RSA Europe Two groups from the same country teamed up to launch a sophisticated attack against RSA Security's systems last March, EMC's security division said.

Unspecified information gained during the attack paved the way towards an unsuccessful attack against a defence contractor (self-identified as Lockheed Martin), senior RSA execs said during the opening of the RSA Conference in London on Tuesday.

"Two groups were involved in the attack," Thomas Heiser, RSA Security president, said during a keynote at the conference. "Both are known to authorities but they have never worked together before."

"The attack involved a lot of preparation," he added.

Forensic examination in the wake of attack on RSA's systems allowed the security arm of EMC to draw tentative conclusions about the origin and purpose of the assault on systems that underpinned its SecurID two-factor authentication technology.

RSA executive chairman Art Coviello said that "one group was very visible and one less so". Coviello declined to point the finger of blame towards any particular country but said during a later question-and-answer session that both came from the same country. "We've not attributed it to a particular nation state," Coviello said. "However with the skill and degree of resources involved it could only have been a nation state."

Coviello's comments painted a picture of the attack as a collaboration between criminal hackers and either a military or intelligence agency, even though he sidestepped a question on whether this was a correct interpretation of his remarks.

Fallout

Heiser downplayed both the impact of the attack and RSA Security's subsequent drip-drop disclosure of what exactly happened and how it had affected customers of its flagship SecurID two-factor authentication technology, which is widely used for secure remote access to corporate email or intranet applications.

"There was one attack on RSA," he said. "The information taken from the RSA attack was a vector in one other attack, which was thwarted. We know of no other attack.

"We killed the attack while it was still in progress and communicated rapidly with our customers as much as we could tell them."

Both the FBI and Department of Homeland Security are continuing to investigate the case.

"Our adversaries left information," Heiser said. "We didn't want to thwart the investigation, so for that reason we haven't disclosed everything we know."

RSA was widely criticised for its reluctance to disclose details of the assault. Even now, more than six months after the assault, it will only say that information related to SecurID was stolen. It hasn't said what was taken although it has been widely suggested that it might have been the seed database used to generate one-time codes on the devices it supplies.

RSA Security offered to supply enterprise customers with replacement tokens in response to the attack. Both Coviello and Heiser declined to say how many tokens it has replaced, although, pressed on the point, Coviello said it was a "small percentage".

During a question-and-answer session, Heiser denied accusations that many customers had been "left hanging" in the aftermath of the attack.

"We got out to our top 500 customers relatively quick. We have many thousands of other customers which we don't deal with directly, so there wasn't that that kind of hand-holding. We have to rely on our marketing press and partners," he said.

"We disclosed everything we could without putting other customers at risk," he said.

Hackers were looking for 'defence-related intellectual property'

Heiser said that RSA was a pawn in a bigger assault: "The motive was to gain access to defence-related intellectual property. RSA was not the target but a means to an end," he said.

Coviello said one of the ironies of the attack was that it validated trends in the market that had prompted RSA to buy network forensics and threat analysis firm NetWitness just before the attack. Security programs need to evolve to be risk-based and agile rather than "conventional" reactive security, he argued.

"The existing perimeter is not enough, which is why we bought NetWitness. The NetWitness technology allowed us to determine damage and carry out remediation very quickly," Coviello said.

"Organisations are defending themselves with the information security equivalent of the Maginot Line as their adversaries easily outflank perimeter defences," Coviello added. "People are the new perimeter contending with zero-day malware delivered through spear-phishing attacks that are invisible to traditional perimeter-based security defences such as antivirus and intrusion detection systems." ®

3 Big data security analytics techniques

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.