Last month witnessed the security breach of RSA Security, a leader in the information security industry, whose products are used to secure financial and other high risk transactions. The breach at RSA contains important security lessons for all organizations. (For an account of the attack, see cnet news.)
The success of the cyber attack at RSA was the result of two specific weaknesses, one human and the other technical.
The human weakness is curiosity. We are a curious species. Our human curiosity is often a good thing. It’s the starting point for our creativity. There would be no computers where we not curious; indeed, it’s unlikely there would even be a wheel.
But sometimes, as the saying goes, curiosity can kill the cat. That’s what happened in the RSA breach. An employee at RSA received an email with an attached Excel spreadsheet provocatively entitled “2011 Recruitment plan.xls.” Curious, he opened the attachment—just as the cyber criminals behind this attack expected. This set the stage for the cyber criminals to exploit the technical weakness.
The attachment wasn’t just an Excel spreadsheet. It had been booby-trapped to ‘explode’ when it was opened, invisibly installing a Trojan horse on the user’s computer. The Trojan horse—a particularly malicious type of malware program known as an Advanced Persistent Threat gave the cyber criminals complete access to the employee’s computer, a beachhead from which they successfully launched their attack on RSA’s network. (ISSA-LA’s monthly meeting in February included a presentation on Advanced Persistent Threats by David Nardoni and Jeff Dye. That presentation can be found here.)
If you work in a corporate environment, your computer may very well have been ‘locked down’ by the IT Department to prevent you from installing your own programs. If it’s not, it should be.
So how did this booby-trapped Excel spreadsheet manage to install a program on this employee’s computer? After all, RSA is one of the premier information security companies in the world. We can be pretty certain that their employees workstations are well-locked down.
This gets us to the second weakness, the technical one. The software industry’s inconvenient truth is that every complex computer program is flawed. It’s these software flaws—programming errors—that let cyber criminals booby trap seemingly innocent files, like the Excel spreadsheet at RSA.
The cyber criminals who successfully breached RSA had found a flaw in Adobe’s popular Flash program. Adobe Flash is well known as having very critical security flaws, forcing Adobe to regularly issue upgrades that fix the flaws they know about. Indeed, as I write this Adobe has announced the discovery of a new zero-day vulnerability which they expect to patch this week. (We notify readers of updates for Adobe Flash on our Weekly Patch and Vulnerability Report.)
The problem with the flaw that the cyber criminals used in the RSA attack was that—at the time of the attack—there was no upgrade that would fix it. The vulnerability was not even known to Adobe. This was a pure example of a zero day vulnerability, a critical vulnerability for which no patch exists. By exploiting this vulnerability, the cyber criminals were able to use Adobe Flash to install their Trojan horse.
Lessons for Management:
Lesson 1: Create a culture of security.
Ensure your people are trained and educated in cyber security. They need to know that they are under cyber attack. They need to become naturally suspicious of unexpected emails. They need to recognize the cyber criminal danger signals, refraining from opening attachments that may be booby-trapped or clicking on potentially booby-trapped hyperlinks. Cyber criminals use publicly available information to try to convince targets that their emails are legitimate, relying on human gullibility to gain access. A simple and avoidable mistake, as demonstrated in RSA’s case, can be costly and embarrassing.
This basic rule of effective cyber security management is simple: Don’t be a victim of your own curiosity. Don’t open an email attachment or click on a hyperlink in an email unless you have independent confirmation from the sender that the email is legitimate.Period.
Lesson 2: Replace anti-virus software with security solutions specifically designed to block zero-day attacks
Another inconvenient truth is that anti-virus software often fails to block zero-day attacks and the Trojan horses they deliver. The antivirus detection rate for ZeuS—a well known Trojan horse used to commit online bank fraud—is below 40%. This means that at any given time 60% of ZeuS variants will get past a company’s anti-virus software. Lesson 2 is that it is time to retire your basic anti-virus software, replacing it with a behaviorally-based solution that can detect and prevent zero-days and other malware from running on workstations.
Lesson 3: It’s not enough to try to prevent attacks. You must also be able to detect them and limit their damage.
Even as we bemoan the fact that RSA was breached, we can’t ignore the critical fact that RSA discovered the breach and took action to limit its damage. Compare this with the recent Stuxnet attack on Iran’s nuclear processing facilities; by the time Iranian authorities discovered the Stuxnet attack, the damage had been done. (See our blog post on Stuxnet.)
It’s a military security truism that—if the enemy discovers that you are planning to attack at dawn—it makes an enormous difference whether or not you know that the enemy knows. If you don’t know the enemy knows, you walk into a trap. If you know the enemy knows, you can change your plans.
HIPAA, the Payment Card Industry’s Data Security Standard, Gramm Leach Bliley, FTC security rules, ISO 27002 — all of these impose an audit and monitoring standard sufficient to detect and respond to a cyber attack. This makes having a robust Incident Response Plan a vital component of effective cyber security management.