Following the disclosure by RSA Security over the weekend that its computers had been hacked and information relating to its two-factor authentication software, called SecurID, had been compromised, customers that rely on RSA’s software are wondering what steps they should take next. That’s as it should be, but I would like to look at this from a different angle.
The security professionals who work for RSA are some of the best in the business. Well, you might ask, if they’re so good then how did they get hacked? It’s pretty simple why they were hacked, but not so simple how. RSA, like Google and Adobe before it, is an extremely attractive target because they are the gatekeepers to a substantial amount of very valuable information.
Google appears to have been targeted to gain access to several email accounts belonging to Chinese human rights activists, while Adobe has never said what was of interest. If I had to guess, it would not be to get free copies of InDesign, but probably has something to do with their Content Server software that protects access to PDF files and eBooks.
In all of these cases, the hack was perpetrated by an extremely sophisticated Advanced Persistent Threat (APT) attack. APTs are not done just to deface a web page or to gain bragging rights. They are very expensive, time-consuming efforts to achieve a very specific objective. APTs can use dozens of pathways to claim their prize; emails targeted to specific employees, booby-trapped web pages, zero-day software exploits, and of course social engineering, where people are pwned to gain access to specific assets.
So before you pat yourself on the back because you aren’t using SecurID authentication, you might want to spend some time working on a plan to harden your own network against APTs, especially if your product is used to secure other companies’ information or if you are a government, financial institution, or purveyor of high-technology products.
How to Defend Against the APT?
Based on the new threat vectors of the APT, the following are key things organizations can do to prevent against the threat:
- Manage stupidity within your organization. Many threats enter a network by tricking the user into clicking a link that they shouldn’t click on. Face it, you cannot prevent people from doing stupid things, but by limiting their access to the assets they need to do their jobs, moving valuable assets to isolated systems, and training your employees what to look for, you can minimize the damage.You might want to think about banning access to the Internet from employee’s workstations and set up a pool of systems that can only be used to access the Internet but not your local network. Perhaps issue a read-only virtual desktop or a bootable flash drive to your workers for Internet access. Even if the desktop is infected while it is running, the infection cannot be brought back inside the organization.
- Ban the use of unencrypted USB flash drives within your organization. The US Department of Defense figured this one out a long time ago when malware crept into a secure network on one. After they modified the ban, Bradley Manning allegedly walked out with a ton of embarrassing information on a writable CDROM, so the ban was put back into place with much stronger teeth.If you have a need for flash drives (and frankly, who doesn’t), SPYRUS makes a pair of very cool encrypting USB flash drives that can be locked down to specific PCs so that they cannot be used on systems outside of your secure network. This means that threats cannot come in and confidential information cannot go out on them.
- Monitor for that sucking sound. Seriously, once the APT has successfully invaded, the targeted information will be sent to the command and control point. To be honest, who cares about malware coming in to your network? Your real concern should be confidential information leaving your network. And if the intent is to stop exfiltration of data and information, looking at the outbound traffic is how you detect that information that should not be outbound is indeed outbound.
- Figure out how to rank anomalous behavior. Most malware scanners look for good and bad. But the idea of an APT is to blend in as long as possible so that you don’t see anything out of the ordinary. Now I realize that false positives aren’t fun for users as too many of them can prevent a user from doing their job. Look for automated log scanning software that can be configured to do risk ranking. This will help determine if the newly found behavior is the new normal for a user, or is truly evil.
- Don’t be smug just because you own a Macintosh (sorry, I just had to put that in). I am a big fan of Apple products because they let me work the way that I want to work, but there is malware that targets them.
- Ensure that your call center networks are nowhere near your production networks. Staff who is on the phone all the time could be easier targets for social engineering.
Advanced Persistent Threats are only going to increase in intensity over the next year, not go away. Ignoring this problem just means there will be harm caused to your organization. The only way that you can deal with an APT is to know your systems, networks, and applications. The more your organization understands about where data lives and flows within these, the better off you are understanding what will be targeted. It’s amazing how many people I’ve consulted with who have little to no clue what is going on within their organization’s network. Too many networks and applications grow organically without proper documentation, and unless you can understand what is normal within your network, there is no possible way to understand what is abnormal.
Train your employees and limit access. Unless employees know what to look for, they cannot be on the lookout. Think about special training for your executives, including sending phishing messages that take them to a “You’re Busted” website with more information on why they might be a higher profile threat target than other employees. Make sure that contingent workers and contractors receive the same awareness training as your employees.
And above all else, ensure that you are taking regular backups and have a crisis response plan in place in case things do go south on you. I can almost guarantee that Arthur W. Coviello, Jr. did not write the open letter to customers by himself, nor did he answer the phone when customers and reporters called. RSA addressed this unfortunate event with the utmost professionalism and responsibility deserving of a leader in the information security community.