Month after RSA was hacked , the World is still in disbelief that one of the oldest and trusted security companies has been hacked. Some RSA SecurID customers had to switch to different authentication solution concerned about the breach, and remaining customers are still worrisome what more breaches could be resulted from RSA hacking.
So as hackers took away RSA data in this security incident, what lessons can RSA and companies take away from it?
Lesson 1: Identify and encrypt and protect valuable information asset
Always know what you need to protect, and always prepare for the worst for the valuable assets.
Even though EMC RSA has not disclosed the complete listing of data loss, RSA SecurID Seed Records were reportedly stolen, and apparently not encrypted and usable by hackers for token prediction. If these sensitive records were encrypted and protected with appropriate level of security such as dual-control and authentication, it would not have caused as much outcry for an encryption company like RSA.
Lesson 2: Employee training and awareness on the email security and phishing
RSA hacking is a result of Spear-phishing that employees were sent emails to their company email addresses and tricked into opening an email attachment of a spreadsheet containing a zero-day exploit that installs a backdoor. It is known that emails have been primary phishing vectors. Even though sometimes it is legitimate to provide company email address to business partners, employees should be trained and aware that company emails should be considered as valuable information that needs to be protected from un-authorized use or misuse, which including not providing company emails on social web sites or un-solicited parties. If hackers had not able to send emails to company addresses, hacking might not as easy.
Needless to say, employee awareness of various phishing schemes and social-engineering is also necessary.
Lesson 3: Ensure the effectiveness of the firewall and perimeter protection
In RSA hacking, the backdoor (Poison Ivy variant) was installed on the compromised PC and reached out from inside to the outside (outbound) for the command and control rather than being operated from outside (inbound). The attacker then was able to use FTP to transfer password protected RAR files from the RSA file server to an outside staging server at a hosting provider.
It is apparent that RSA may not have firewall in place or the firewall rules are not implemented properly to prevent unauthorized outbound connections. It indicates how important it is to review the perimeter devices (firewall and/or routers and/or IDS) configuration and rules for the effective protection.
Lesson 4: DLP needs to be in place and effective
Data should have been protected with proper DLP mechanism on the perimeter to prevent FTP or HTTP upload from internal hosts to external hosts, or at least alerting on the abnormal transfer.
Lesson 5: Malware detection and employee awareness
It is apparently that RSA failed to detect the malware in the email attachment, and employee was not aware of the risk opening un-recognized external email attachment. With the popularity of malware in many hacking incidents, it justifies that malware detection and prevention to be in place, and employees need to be educated to avoid being victim of malwares. Research on the potential malware polymorphism or variants could provide advantage to enhance company’s defense of malwares beyond known exploits.
With all said, despite all the security hardware and software and training in place, there is always chance that hacker can cause some breach somehow some way, thus effective security intrusion detection and monitoring is demanded. It is not clear how RSA detected this APT-type SecurID hacking, but network IDS or host IDS will help security analysts to identify breaches. SEMS or SIEM will be able to provide easier correlations among different systems if relevant events are captured and aggregated into SEMS. Hopefully someday RSA will tell the story how the hacking was detected and prove to the world the values of security devices and software, so that companies will continue to buy EMC/RSA security product with some faith on the security of the company that was once well respected.
