When a security company like RSA reveals that its network has been breached and data stolen, customers are left wondering what they can do if they ever get attacked.
As RSA deals with the data breach where attackers stole
information about its two-factor authentication technology, organizations can
watch and learn how to deal with these kinds of attacks.
RSA acknowledged on March 17 in a letter on its Web site
about having been hit by an advanced persistent threat, and that some
information about SecurID had been stolen
. While it quickly assured customers
that the theft wouldn't expose any customers to any direct attacks, the company
acknowledged that the one-time password system would be vulnerable as part of a
The letter was vague on details, but suggested customers
shore up other aspects of security
such as tracking changes in user access and
privilege levels as well as educating employees about social engineering
RSA is a "great example of what organizations have to do
when they figure out they've been breached," Peter Schlampp, vice president of
product management for digital forensics firm Solera Networks, told eWEEK.
The fact that RSA identified the attack and seem to know
what was taken is a good sign. "It is very clear to me they have some kind of
network forensics technology in place," Schlampp said. In many cases, when
companies discover a breach, they have no idea what was exposed, he said. The
tone of the letter makes it clear that RSA knows exactly what was stolen, he
RSA probably knows exactly the origin where the attackers
entered the network and the exact instance of the file that was copied, he
said. RSA's network forensics technology would have provided the company's
investigators with the name, location, and contents of the file, as well.
The company has all the information it needs to identify the
attack, say what was stolen, figure out how to prevent it from happening again,
and to remediate the breach, according to Schlampp.
RSA identified the attack as an advanced persistent threat
(APT) in its letter. APTs are generally ongoing attacks where the perpetrators
are probing the network looking for information. They are not looking for
immediate financial gain, but information that can be used to launch further
, he said.
APTs are currently the "biggest threats" facing large
organizations, but IT managers and security professionals aren't talking about
it as much, Schlampp said. The RSA breach should encourage organizations to
start looking at their infrastructure and at the RSA breach for information on
how to deal with this growing threat, he said.
"If Google and Aurora wasn't enough of a wake-up call, this
is another wake-up call," said Schlampp. Last year, Google announced it had
been subject to ongoing attacks as part of Operation Aurora. A number of other
companies were also included in Aurora, although there were other unrelated APT
on other large companies, as well.
APTs highlight the fact that attackers are looking for "new
novel ways" to get into the network using advanced and highly targeted
techniques, Schlampp said. Organizations need to make sure that their security
defenses are collecting all the information so that if a breach occurs they are
notified and can immediately perform root cause analysis to determine what
happened, he said.
Schlampp wouldn't be surprised if RSA started offering
network forensics and technology specifically geared towards dealing with APTs
in the "coming days," he said. RSA has shown a lot of "integrity" in stepping
up and acknowledging the breach, Schlampp said. That will go a long way towards
restoring trust with customers, he suggested.