How the RSA Breach May Have Been Prevented

To continue on the earlier entry regarding Advanced Persistent Threats, some interesting information has come out recently about the successful attack earlier this year on RSA, the Security Division of EMC.  Apparently, the massive data theft began with a relatively simple phishing email sent to an EMC employee.  The email contained an Excel spreadsheet that was booby-trapped with a malicious object, which then exploited a zero-day vulnerability in Adobe Flash to install a backdoor on the system.  

What can we learn from this?  Well, for one, it excuses RSA to some degree, since the zero-day flaw couldn’t have been patched at the time.  It also highlights, yet again, the importance of user training and a sound IT Security Policy.  What if this user had been trained on how to recognize a suspicious email?  Maybe the attack would have happened, if not from this user than from another, but maybe it wouldn't.  The attack used complex vectors, but was not in and of itself a complex attack.  As is often the case, training the staff on detecting phishing threats and thwarting social engineering attacks would have gone a long way toward mitigating this threat.  RSA isn't alone in this regard - users will continue to be the weak spot in any organization's security.

This entry was based on information found in the following, excellent articles:

F-Secure reveals email and malicious Excel attachment used to breach RSA Security

Researchers Uncover RSA Phishing Attack, Hiding in Plain Sight

If you don't yet have an IT Security Policy, or would like to update the one you do have, a great site to visit is InstantSecurityPolicy.com, which uses a wizard to customize security policies to your company's needs.  A comprehensive policy, plus user training how to spot threats and use the Internet safely, will go along way in mitigating these inherent risks.

APTs: So What if you ARE a Target?

This blog post continues the discussion from last month, which examined Advanced Persistent Threats, or APTs.  You can find it here.

So if leading technology companies can't stop an APT, what chance do you have against defending against it?  The unfortunate answer is: not much.

An interesting article from DarkReading.com discusses what you should know about detecting a targeted attack, and goes over the methodology an attacker might use to probe a company for weaknesses.  Rightfully so, the article discusses the human vulnerabilities inherent to every company, saying: “Detecting attacks attempting to exploit human assets is often nearly impossible without regular training and awareness. You can't install Snort on your CEO and CFO.”  This is a great point – if your company is specifically targeted by an attacker and your network is secure, the attacker will naturally turn to social engineering, custom malware, or spear phishing in an attempt to gain a foothold.  Some tools can offer limited assistance here, but none surpass user awareness.

To that point, you should make an effort to check out the online tools that your users frequent - Facebook, Gmail, Craigslist, and LinkedIn for example.  These all have good resources that explain how to control privacy of information, as well as tips to avoid scams common to these applications.  These pages can typically be located within a few clicks and are well worth the effort to find.  Make it a point to compile and send these tips to your users on a regular basis.

Your users are, by far, your biggest security liability.  Instituting a sound security policy, coupled with user training, is a must.  Your security policy is your IT security playbook: user-oriented policies, and training about these policies, will act to "harden" your users just as you might harden your network perimeter.

If you don't already have a security policy, check out www.InstantSecurityPolicy.com, which can help you obtain a custom set of security policies in minutes.

With the Rise of APTs, Security Policies are More Important Than Ever

Recently, much has been made of a "new" attack known as the Advanced Persistent Threat (APT) due to recent attacks on RSA, Google, Adobe Systems, and others.  APTs are not new, but they can be by far the most damaging attack.  So what can you do to stop them?  First let's go over the basics:

Just What Exactly Is an Advanced Persistent Threat?

An APT is by far the most difficult type of attack to stop.  It combines multiple, sometimes zero-day, vulnerabilities, social engineering, spear phishing, and offline techniques into a long-term and carefully crafted attack.  There is an objective to these attacks – they are not smash-and-grab hits where attackers look for anything of value.  Anyone using an APT is after the “crown jewels” of a company: intellectual property, massive stores of customer or credit card data, classified information, product blueprints, source code, etc.  The attacks move laterally through a network, and can be difficult, if not impossible, to detect.  The attacker will have a long-term horizon, sometimes staying in a network for years, searching for its target. 

The good news, if there is any, is that these attacks are relatively rare.  Due to their complexity and cost, targets of APTs seem to be limited to very large corporations and government entities.  These aren’t the script kiddies of old, but sophisticated criminal or governmentally-funded entities, which is exactly what makes these attacks so devastating.  The only way to combat them is to:

• Institute tight security controls and good coding practices on your public servers.
• Perform vulnerability assessments to find systems that may allow code injection.
• Monitor your network with an IDS and review system logs, tracking down any suspicious entries. 
• Perhaps most importantly: educate your users on secure web and email practices, through the development and implementation of a solid security policy.

Unfortunately, the new challenge of IT Security involves protecting your network from unpredictable and blended threats that can come from anywhere – not just those that come through the front door.  APTs will likely become more prevalent as the costs and complexity of these attacks decrease with advances in technology.

If you don't already have a security policy, check out www.InstantSecurityPolicy.com, which can help you obtain a custom set of security policies in minutes.  Coming soon: "So What if You Are a Target?"