Wednesday, April 16, 2014
By now, most people know about the RSA breach that resulted in unspecified data related to their SecurID product being stolen. A little more information has come out over the last few days on how the breach happened.
The whole thing seems to have started with a phishing email that was received by one or more employees of RSA. The email had an Excel spreadsheet file attachment named “2011 Recruitment Plan”, which contained malware. The malware exploited an Adobe zero-day vulnerability. RSA’s spam filters worked properly and flagged the email and junk and moved it to the junk folder.
One of my favorite phrases is “there is no cure for stupidity”. An employee (or more than one), probably piqued by the file name, went into the junk folder and opened the attachment and ended up installing the malware in his/her computer. From there, it slowly spread within the RSA network. The irony is that RSA had installed NetWitness, a DLP (Data Loss Prevention) software in their network and it had flagged the activity of the malware. The problem was that it did not rate the severity of the problem high enough for RSA to shut it down promptly.
In the meanwhile the malware was sending out credentials, including people higher in the chain of command, and finally the malware controllers obtained some credentials from the IT department, providing them access to more sensitive stuff. All this possibly took anywhere from a few weeks to a few months.
It is not clear what exactly was stolen. If you use RSA’s SecurID, you should read my previous post on Minimizing the impact of the RSA SecurID breach.
This incident illustrates how important security education and awareness is for organizations. All it took was a curious employee clicking on an Excel spreadsheet containing malware and the reputation of a famous and big security company lies in tatters. It could have a financial impact too since CA is now trying to get RSA SecurID users to switch to their product by implying that RSA (and RSA’s products) are not good enough.