essay - WordPress.com
advertisement
AN ANALYSIS OF A SECURITY BREACH AT RSA SECURITY Jimmy Kenny A00177486 Security Assignment Jimmy Kenny A00177486 Contents Introduction ............................................................................................................................... 2 Background ................................................................................................................................ 3 RSA Security ........................................................................................................................... 3 RSA SecurID ............................................................................................................................ 3 The Security Breach ................................................................................................................... 4 RSA Initial Actions ...................................................................................................................... 5 The Final Costs ........................................................................................................................... 6 What did RSA do to improve their Security Procedures? .......................................................... 7 References ................................................................................................................................. 9 1 Security Assignment Jimmy Kenny A00177486 Introduction On March 17th, 2011 a sophisticated cyber-attack was launched on RSA Security, a division of EMC Corporation, that extracted information related to its SecurID authentication mechanism. These mechanisms (or tokens) are used in two-factor authentication systems and at the time it is believed there were 40 million of these tokens being used to securely access corporate and government networks. The attack was a spear phishing exercise with two separate groups working together, it is believed, with a foreign government. In an open letter to its customers in June 2011 the company’s President, Art Coviello, stated that: “Certain characteristics of the attack on RSA indicated that the perpetrator's most likely motive was to obtain an element of security information that could be used to target defence secrets and related IP, rather than financial gain, PII, or public embarrassment.” In March 2012 the director of the U.S. National Security Agency, General Keith Alexander, in a hearing before the Senate Armed Services Committee said that China was the main suspect behind the security breach. Although the company maintained no customer’ networks were breached they decided to replace all the SecurID mechanisms in circulation. It has been estimated that it cost RSA over $66 million to replace and distribute new SecurID tokens to its customers. The cost to these customers to re-distribute the tokens to their own customers is thought to be in the $100s of million. This report will outline how this security breach happened, how RSA dealt with it, what effects it had on the company and what improvements in security procedures the company have made or should make in order to avoid a similar situation occurring. 2 Security Assignment Jimmy Kenny A00177486 Background This section will firstly give a brief corporate overview of RSA Security and how their SecurID tokens work. RSA Security In 1982 RSA was founded by Ron Rivest, Adi Shamir and Len Adleman (they also developed the RSA Encryption Algorithm). It provides security solutions to corporations and governments around the world. These solutions include identity assurance and access control, encryption & key management, compliance & security information management and fraud protection. RSA makes the login security systems used by 95 of the Fortune 100 companies (Fowler, 2013). In 2006 it was acquired by EMC Corporation for $2.1 billion. EMC is one of the world’s largest providers of data storage systems and employs over 60,000 with reported revenues of $21.7 billion in 2012 (EMC, 2014). As well as RSA Security its subsidiaries include VMware and Iomega. One of RSA’s main products is the SecurID authenticator. RSA SecurID This authentication mechanism consists of a ‘token’ either hardware or software. This token is assigned to a computer user and is used to generate a 6-digit authentication code using an algorithm that is present in all tokens which will allow The SecurID ‘hardware’ token access to a network. Each token also has a unique seed number and a clock. The algorithm processes the seed number and the current time to generate the unique 6-digit code displayed by the token. A new code is generated at fixed intervals usually every minute. An RSA SecurID server is connected online to whatever system the user is logging into. This server also stores the seed number of the users token and uses the same algorithm to generate a code. When the user wants to log in to the system he/she generates a code using 3 Security Assignment Jimmy Kenny A00177486 the token and enters it in the system (usually in conjunction with their User ID and PIN). The RSA server simultaneously generates a code and if it matches the users then they are authenticated and can access the system. The Security Breach The cyber-attack on RSA Security took place on March 17th, 2011. On April 1st Uri Rivner, head of new technologies and consumer identity protection, at RSA, gave details of the attack in a blog entry which is summarised below. Some time before the March 17th attack it is believed the perpetrators would have used social media to obtain publicly available details of RSA employees – names, job titles, contact details etc. These details can make an email from a hacker look genuine. In this case two low level groups of employees were targeted with two different phishing emails. The email’s subject line read ‘2011 Recruitment Plan’ and had attached an Excel spreadsheet titled ‘'2011 Recruitment plan.xls’. The email looked like an internal message and at some point one employee retrieved it from their Junk mail folder and opened the Excel file. Anatomy of the Attack Source: https://blogs.rsa.com/anatomy-of-an-attack The spreadsheet hid an embedded Adobe Flash vulnerability (CVE-2011-0609) – a zero-day exploit that installed a backdoor to inject malware into the computer. The attackers were then able to gain control of the computer using a remote administration tool (a variant of the 4 Security Assignment Jimmy Kenny A00177486 Poison Ivy Trojan). The access credentials of the employee were then used as a stepping stone to obtain access to other user accounts with higher privileges. Once the desired privileges were obtained the hackers were able to target the servers they were interested in. Data was removed from these servers and moved to internal staging servers where it was aggregated, compressed and encrypted for extraction. FTP was then used to transfer many password protected RAR files to an outside staging server at an external, compromised machine at a hosting provider. The files were then pulled by the attackers and removed from the external server to eliminate traces of the attack. RSA’s Initial Actions On the day of the security breach, Thursday, March 17 th 2011, RSA posted a letter on its website from its chairman, Art Coviello. The letter confirmed that the company had suffered an attack that “is in the category of an Advanced Persistent Threat (APT)”. The letter gave no details about the security breach itself but Coviello went on to say “Our investigation also revealed that the attack resulted in certain information being extracted from RSA’s systems.” He did not specify what kind of data was stolen but only that it “could potentially be used to reduce the effectiveness of a current two-factor authentication [SecurID] implementation as part of a broader attack.” He also said there was no current indication that the stolen data was used to attack any of its customers. Mr Coviello went on to say that “We took a variety of aggressive measures against the threat to protect our business and customers, including further hardening of our I.T. infrastructure.” The company urged their customers to follow a variety of security best-practices such as enforcing strong password and pin policies, educating employees on avoiding suspicious emails and to “limit remote and physical access to infrastructure that is hosting critical security software” (Goodin, 2011). The company also submitted a filing to the Securities and Exchange Commission indicating that it did not expect the security breach to have any financial impact (Markoff, 2011). Coviello was criticized for the vagueness of the details of the letter by security experts (Goodin, 2011) and it is not clear what details of the attack were given to RSA’s customer at this point. There was a lot of concern expressed that the breach could pose a serious threat to countless businesses and government agencies that used SecurID authentication. 5 Security Assignment Jimmy Kenny A00177486 It was not until April 1st , 2011 that the company released specific details of the attack. In his blog entry titled Anatomy of an Attack on the RSA website Uri Rivner, Head of New Technologies, described how their security was breached (Rivner, 2011). While giving a good account of the attack itself the article did not state exactly what was taken or how RSA customers could possibly be affected. Rivner did not address what the company would do to counter any similar attacks in the future. In June 2011 RSA’s President Art Coviello issued another open letter to its customers giving an evaluation of the situation at that time (Coviello, 2011). He stated he was confident that customers who implemented RSA’s remediation steps “can be confident in their continued security”. He went on to say that the most likely motive for the attack was “to obtain an element of security information that could be used to target defence secrets and related IP”. He confirmed that on June 2nd there had been an attack on Lockheed Martin, a major defence contractor, using data that had been taken in the original attack on RSA but the attack had been prevented. He maintained that the only confirmed attack using the extracted data had been on Lockheed. Though the company had always maintained that their SecurID tokens were not compromised, in order to reinforce confidence in the product he offered to replace tokens “for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks.” He promised to work with all customers to assess their ongoing needs and to tailor options to suit these requirements. He promised continued investment in RSA’s SecurID and their risk-based authentication technologies. The Ultimate Cost Over the course of the next year RSA eventually had to re-issue new SecurID tokens to all its customers. Whether this was because of doubts over the tokens’ security integrity or whether it was to re-enforce confidence in the product is not clear. But confidence in the product must surely have had to be bolstered. It cost RSA $66 million approx. to replace the token for all its customers (Fowler, 2013). But the actual cost would have been more when you consider the time and resources spent appraising its customers of the situation, the immediate actions 6 Security Assignment Jimmy Kenny A00177486 that had to be taken to thwart the attack and the subsequent measures needed to develop new software to prevent future attacks (SecureEnvoy, 2012). There were also significant costs borne by RSA’s customers. At that time there were about 40 million tokens in use. About 50% of banks in the US that used security tokens used RSA’s SecurID. It was estimated that the costs involved in distributing the new tokens to their customers would be between $50 and $100 million. Some of the biggest military contractors in the US used SecurID, Lockheed alone had to distribute new tokens to 45,000 of their employees. (King, 2011) But maybe the biggest cost has been to the loss of trust of the product or worse the confidence of customers in the company itself. It is difficult to ascertain the number of customers RSA lost or potential new customers who looked elsewhere for their secure authentication needs as a result of the security breach but it must have been significant. One of RSA’s biggest rivals with a similar product is Vasco Data Security International Inc. whose stock rose by 36% on the NASDAQ over the two weeks following the disclosure of the security breach. EMC, RSA’s parent company, stock rose by just 1.8% over the same period (King, 2011). Though most of the large corporations and government agencies who had already invested significantly in RSA’s two way authentication products stayed with the company it would have been a lot easier for smaller companies to switch to companies providing alternative technologies. What did RSA do to improve their Security Procedures? Because of the nature of their business RSA have not revealed technical details of any changes or improvements they have made in their own security procedures. However in an interview with the Wall Street Journal in February 2013 Art Coviello, executive chairman of EMC, explained that these types of attacks are very difficult to trace and that they never actually received confirmation as to who the attackers were. Two groups had attacked them simultaneously, one was a lot more visible than the other. He went on to say that “Since that time, we have developed more powerful capabilities to spot hidden patterns—the faint noises that are actually an attack” (Fowler, 2013). 7 Security Assignment Jimmy Kenny A00177486 He talked about a new model for security that he called an intelligence-driven model. “It is based on risk and new tools that are behaviour based and predictive. It is also based on a bigdata application so you can spot an attack in progress, so you can do a better job responding to it” (Fowler, 2013). RSA were said to be replacing their hardware tokens with software tokens which makes it easier for their customers to build SecurID into mobile apps so that users can use their smartphones for authentication. Mobile app authentication would also allow the company to incorporate geolocation data and biometrics into the authentication process. (Marcia Savage, 2012) But perhaps the best thing RSA could do is to provide its employees with training and a process to be able to spot and deal with malicious emails. If that employee hadn’t opened the ‘Recruitment Plan’ attachment in the first place the hackers would not have been able to breach RSA’s security. As in most cases of security breaches the human element is the most vulnerable access point. 8 Security Assignment Jimmy Kenny A00177486 References Coviello, A., 2011. Integrity Solutions. [Online] Available at: http://www.integritysolutions.ie/industry-news/rsa-open-letter.php [Accessed March 2014]. EMC, 2014. EMC Corporate Profile. [Online] Available at: http://uk.emc.com/corporate/emc-at-glance/corporate-profile/index.htm [Accessed March 2014]. Fowler, G. A., 2013. The Wall Street Journal. [Online] Available at: http://online.wsj.com/news/articles/SB10001424127887323384604578328523049037156 [Accessed March 2014]. Goodin, D., 2011. www.theregister.co.uk. [Online] Available at: http://www.theregister.co.uk/2011/03/18/rsa_breach_leaks_securid_data/ [Accessed March 2014]. King, R., 2011. Bloomberg. [Online] Available at: http://www.bloomberg.com/news/2011-06-08/emc-s-rsa-security-breach-may-cost-bank-customers-100million.html [Accessed March 2014]. Marcia Savage, M. S. M. R. W., 2012. SearchSecurity - TechTarget. [Online] Available at: http://searchsecurity.techtarget.com/magazineContent/The-RSA-breach-One-year-later [Accessed March 2014]. Markoff, J., 2011. The New York Times. [Online] Available at: http://www.nytimes.com/2011/03/18/technology/18secure.html?_r=0 [Accessed March 2014]. Rivner, U., 2011. Anatomy of an Attack. [Online] Available at: https://blogs.rsa.com/anatomy-of-an-attack [Accessed March 2014]. SecureEnvoy, 2012. SecureEnvoy. [Online] Available at: https://www.securenvoy.com/blog/2012/04/27/the-rsa-security-breach-12-months-down-the-technologyturnpike/ [Accessed March 2014]. 9
