An Analysis of the Security breach at · Web viewAn Analysis of A Security breach. at RSA...
Transcript of An Analysis of the Security breach at · Web viewAn Analysis of A Security breach. at RSA...
AN ANALYSIS OF A SECURITY BREACH AT RSA SECURITY
Jimmy KennyA00177486
Security Assignment Jimmy Kenny A00177486
Contents
Introduction............................................................................................................................. 2
Background.............................................................................................................................. 3
RSA Security......................................................................................................................... 3
RSA SecurID..........................................................................................................................3
The Security Breach..................................................................................................................4
RSA Initial Actions.....................................................................................................................5
The Final Costs......................................................................................................................... 6
What did RSA do to improve their Security Procedures?.........................................................7
References................................................................................................................................9
1
Security Assignment Jimmy Kenny A00177486
Introduction
On March 17th, 2011 a sophisticated cyber-attack was launched on RSA Security, a division of
EMC Corporation, that extracted information related to its SecurID authentication
mechanism. These mechanisms (or tokens) are used in two-factor authentication systems
and at the time it is believed there were 40 million of these tokens being used to securely
access corporate and government networks. The attack was a spear phishing exercise with
two separate groups working together, it is believed, with a foreign government. In an open
letter to its customers in June 2011 the company’s President, Art Coviello, stated that:
“Certain characteristics of the attack on RSA indicated that the perpetrator's most likely
motive was to obtain an element of security information that could be used to target
defence secrets and related IP, rather than financial gain, PII, or public
embarrassment.”
In March 2012 the director of the U.S. National Security Agency, General Keith Alexander, in
a hearing before the Senate Armed Services Committee said that China was the main
suspect behind the security breach.
Although the company maintained no customer’ networks were breached they decided to
replace all the SecurID mechanisms in circulation. It has been estimated that it cost RSA over
$66 million to replace and distribute new SecurID tokens to its customers. The cost to these
customers to re-distribute the tokens to their own customers is thought to be in the $100s
of million.
This report will outline how this security breach happened, how RSA dealt with it, what
effects it had on the company and what improvements in security procedures the company
have made or should make in order to avoid a similar situation occurring.
2
Security Assignment Jimmy Kenny A00177486
3
Security Assignment Jimmy Kenny A00177486
BackgroundThis section will firstly give a brief corporate overview of RSA Security and how their SecurID
tokens work.
RSA Security
In 1982 RSA was founded by Ron Rivest, Adi Shamir and Len Adleman (they also developed
the RSA Encryption Algorithm). It provides security solutions to corporations and
governments around the world. These solutions include identity assurance and access
control, encryption & key management, compliance & security information management
and fraud protection. RSA makes the login security systems used by 95 of the Fortune 100
companies (Fowler, 2013).
In 2006 it was acquired by EMC Corporation for $2.1 billion. EMC is one of the world’s
largest providers of data storage systems and employs over 60,000 with reported revenues
of $21.7 billion in 2012 (EMC, 2014). As well as RSA Security its subsidiaries include VMware
and Iomega. One of RSA’s main products is the SecurID authenticator.
RSA SecurID
This authentication mechanism consists of a ‘token’ either
hardware or software. This token is assigned to a computer
user and is used to generate a 6-digit authentication code
using an algorithm that is present in all tokens which will
allow access to a network. Each token also has a unique seed number and a clock. The
algorithm processes the seed number and the current time to generate the unique 6-digit
code displayed by the token. A new code is generated at fixed intervals usually every
minute.
An RSA SecurID server is connected online to whatever system the user is logging into. This
server also stores the seed number of the users token and uses the same algorithm to
4
The SecurID ‘hardware’ token
Security Assignment Jimmy Kenny A00177486
generate a code. When the user wants to log in to the system he/she generates a code using
the token and enters it in the system (usually in conjunction with their User ID and PIN). The
RSA server simultaneously generates a code and if it matches the users then they are
authenticated and can access the system.
The Security BreachThe cyber-attack on RSA Security took place on March 17 th, 2011. On April 1st Uri Rivner,
head of new technologies and consumer identity protection, at RSA, gave details of the
attack in a blog entry which is summarised below.
Some time before the March 17th attack it is believed the perpetrators would have used
social media to obtain publicly available details of RSA employees – names, job titles,
contact details etc. These details can make an email from a hacker look genuine. In this case
two low level groups of employees were targeted with two different phishing emails. The
email’s subject line read ‘2011 Recruitment Plan’ and had attached an Excel spreadsheet
titled ‘'2011 Recruitment plan.xls’. The email looked like an internal message and at some
point one employee retrieved it from their Junk mail folder and opened the Excel file.
The spreadsheet hid an embedded Adobe Flash vulnerability (CVE-2011-0609) – a zero-day
exploit that installed a backdoor to inject malware into the computer. The attackers were
5
Anatomy of the AttackSource: https://blogs.rsa.com/anatomy-of-an-attack
Security Assignment Jimmy Kenny A00177486
then able to gain control of the computer using a remote administration tool (a variant of
the Poison Ivy Trojan). The access credentials of the employee were then used as a stepping
stone to obtain access to other user accounts with higher privileges. Once the desired
privileges were obtained the hackers were able to target the servers they were interested
in. Data was removed from these servers and moved to internal staging servers where it
was aggregated, compressed and encrypted for extraction. FTP was then used to transfer
many password protected RAR files to an outside staging server at an external,
compromised machine at a hosting provider. The files were then pulled by the attackers
and removed from the external server to eliminate traces of the attack.
RSA’s Initial ActionsOn the day of the security breach, Thursday, March 17 th 2011, RSA posted a letter on its
website from its chairman, Art Coviello. The letter confirmed that the company had suffered
an attack that “is in the category of an Advanced Persistent Threat (APT)”. The letter gave no
details about the security breach itself but Coviello went on to say “Our investigation also
revealed that the attack resulted in certain information being extracted from RSA’s
systems.” He did not specify what kind of data was stolen but only that it “could potentially
be used to reduce the effectiveness of a current two-factor authentication [SecurID]
implementation as part of a broader attack.” He also said there was no current indication
that the stolen data was used to attack any of its customers. Mr Coviello went on to say that
“We took a variety of aggressive measures against the threat to protect our business and
customers, including further hardening of our I.T. infrastructure.” The company urged their
customers to follow a variety of security best-practices such as enforcing strong password
and pin policies, educating employees on avoiding suspicious emails and to “limit remote
and physical access to infrastructure that is hosting critical security software” (Goodin,
2011). The company also submitted a filing to the Securities and Exchange Commission
indicating that it did not expect the security breach to have any financial impact (Markoff,
2011).
Coviello was criticized for the vagueness of the details of the letter by security experts
(Goodin, 2011) and it is not clear what details of the attack were given to RSA’s customer at
6
Security Assignment Jimmy Kenny A00177486
this point. There was a lot of concern expressed that the breach could pose a serious threat
to countless businesses and government agencies that used SecurID authentication.
It was not until April 1st , 2011 that the company released specific details of the attack. In his
blog entry titled Anatomy of an Attack on the RSA website Uri Rivner, Head of New
Technologies, described how their security was breached (Rivner, 2011). While giving a good
account of the attack itself the article did not state exactly what was taken or how RSA
customers could possibly be affected. Rivner did not address what the company would do to
counter any similar attacks in the future.
In June 2011 RSA’s President Art Coviello issued another open letter to its customers giving
an evaluation of the situation at that time (Coviello, 2011). He stated he was confident that
customers who implemented RSA’s remediation steps “can be confident in their continued
security”. He went on to say that the most likely motive for the attack was “to obtain an
element of security information that could be used to target defence secrets and related
IP”. He confirmed that on June 2nd there had been an attack on Lockheed Martin, a major
defence contractor, using data that had been taken in the original attack on RSA but the
attack had been prevented. He maintained that the only confirmed attack using the
extracted data had been on Lockheed.
Though the company had always maintained that their SecurID tokens were not
compromised, in order to reinforce confidence in the product he offered to replace tokens
“for customers with concentrated user bases typically focused on protecting intellectual
property and corporate networks.” He promised to work with all customers to assess their
ongoing needs and to tailor options to suit these requirements. He promised continued
investment in RSA’s SecurID and their risk-based authentication technologies.
The Ultimate CostOver the course of the next year RSA eventually had to re-issue new SecurID tokens to all its
customers. Whether this was because of doubts over the tokens’ security integrity or
whether it was to re-enforce confidence in the product is not clear. But confidence in the
product must surely have had to be bolstered. It cost RSA $66 million approx. to replace the
token for all its customers (Fowler, 2013). But the actual cost would have been more when
7
Security Assignment Jimmy Kenny A00177486
you consider the time and resources spent appraising its customers of the situation, the
immediate actions that had to be taken to thwart the attack and the subsequent measures
needed to develop new software to prevent future attacks (SecureEnvoy, 2012).
There were also significant costs borne by RSA’s customers. At that time there were about
40 million tokens in use. About 50% of banks in the US that used security tokens used RSA’s
SecurID. It was estimated that the costs involved in distributing the new tokens to their
customers would be between $50 and $100 million. Some of the biggest military contractors
in the US used SecurID, Lockheed alone had to distribute new tokens to 45,000 of their
employees. (King, 2011)
But maybe the biggest cost has been to the loss of trust of the product or worse the
confidence of customers in the company itself. It is difficult to ascertain the number of
customers RSA lost or potential new customers who looked elsewhere for their secure
authentication needs as a result of the security breach but it must have been significant.
One of RSA’s biggest rivals with a similar product is Vasco Data Security International Inc.
whose stock rose by 36% on the NASDAQ over the two weeks following the disclosure of the
security breach. EMC, RSA’s parent company, stock rose by just 1.8% over the same period
(King, 2011).
Though most of the large corporations and government agencies who had already invested
significantly in RSA’s two way authentication products stayed with the company it would
have been a lot easier for smaller companies to switch to companies providing alternative
technologies.
What did RSA do to improve their Security Procedures?Because of the nature of their business RSA have not revealed technical details of any
changes or improvements they have made in their own security procedures. However in an
interview with the Wall Street Journal in February 2013 Art Coviello, executive chairman of
EMC, explained that these types of attacks are very difficult to trace and that they never
actually received confirmation as to who the attackers were. Two groups had attacked them
simultaneously, one was a lot more visible than the other. He went on to say that “Since
8
Security Assignment Jimmy Kenny A00177486
that time, we have developed more powerful capabilities to spot hidden patterns—the faint
noises that are actually an attack” (Fowler, 2013).
He talked about a new model for security that he called an intelligence-driven model. “It is
based on risk and new tools that are behaviour based and predictive. It is also based on a
big-data application so you can spot an attack in progress, so you can do a better job
responding to it” (Fowler, 2013).
RSA were said to be replacing their hardware tokens with software tokens which makes it
easier for their customers to build SecurID into mobile apps so that users can use their
smartphones for authentication. Mobile app authentication would also allow the company
to incorporate geolocation data and biometrics into the authentication process. (Marcia
Savage, 2012)
But perhaps the best thing RSA could do is to provide its employees with training and a
process to be able to spot and deal with malicious emails. If that employee hadn’t opened
the ‘Recruitment Plan’ attachment in the first place the hackers would not have been able to
breach RSA’s security. As in most cases of security breaches the human element is the most
vulnerable access point.
9
Security Assignment Jimmy Kenny A00177486
ReferencesCoviello, A., 2011. Integrity Solutions. [Online]
Available at: http://www.integritysolutions.ie/industry-news/rsa-open-letter.php
[Accessed March 2014].
EMC, 2014. EMC Corporate Profile. [Online]
Available at: http://uk.emc.com/corporate/emc-at-glance/corporate-profile/index.htm
[Accessed March 2014].
Fowler, G. A., 2013. The Wall Street Journal. [Online]
Available at: http://online.wsj.com/news/articles/SB10001424127887323384604578328523049037156
[Accessed March 2014].
Goodin, D., 2011. www.theregister.co.uk. [Online]
Available at: http://www.theregister.co.uk/2011/03/18/rsa_breach_leaks_securid_data/
[Accessed March 2014].
King, R., 2011. Bloomberg. [Online]
Available at: http://www.bloomberg.com/news/2011-06-08/emc-s-rsa-security-breach-may-cost-bank-customers-100-
million.html
[Accessed March 2014].
Marcia Savage, M. S. M. R. W., 2012. SearchSecurity - TechTarget. [Online]
Available at: http://searchsecurity.techtarget.com/magazineContent/The-RSA-breach-One-year-later
[Accessed March 2014].
Markoff, J., 2011. The New York Times. [Online]
Available at: http://www.nytimes.com/2011/03/18/technology/18secure.html?_r=0
[Accessed March 2014].
Rivner, U., 2011. Anatomy of an Attack. [Online]
Available at: https://blogs.rsa.com/anatomy-of-an-attack
[Accessed March 2014].
SecureEnvoy, 2012. SecureEnvoy. [Online]
Available at: https://www.securenvoy.com/blog/2012/04/27/the-rsa-security-breach-12-months-down-the-technology-
turnpike/
[Accessed March 2014].
10