While security researchers have been talking about advanced persistent threats for some time, RSA's SecurID breach has thrust APTs to the forefront as the biggest danger to organizations.
While customers are
understandably concerned about the security of their SecurID deployments, the RSA breach is a wake-up call about the recent increase in what security
experts call APTs: advanced persistent threats.
Attackers had successfully breached
the RSA's networks and stolen information related to the
company's SecurID two-factor authentication technology, revealed Art Coviello,
the executive chairman of RSA Security, in an open letter to customers posted on
the RSA Website on March 17. RSA identified the attack as an APT in its letter.
APTs are ongoing attacks
where perpetrators probe the target systems looking for information such as
source code and other sensitive intellectual property. APTs are a "new breed of
cyber-adversary" and cannot be addressed in the same way as other Web threats,
Adam Vincent, CTO of the Public Sector group at Layer 7 Technologies,
The attackers are
well-funded, highly organized and are most likely employing new techniques-ones
that are probably not protected by network encryption, firewalls and other
security products, Vincent said. Security products can't provide sufficient
capabilities to protect an organization from APTs as the lurking attackers are
often indistinguishable from legitimate users, he said.
Operation Aurora, which compromised systems at Google and a number of
other major companies in 2009, was a type of APT. "If Google and Aurora wasn't enough of a wake-up call, this is
another wake-up call," said Peter Schlampp, vice president of product
management at Solera Networks, told eWEEK.
The general consensus appears
to be that if RSA can fall, then there's little chance for smaller
companies. So organizations need to do more than just spend money to block
threats, Chris Larsen, head security malware researcher at Blue Coat Systems,
told eWEEK. They need to assume they are already infected and invest in
security technologies, such as network forensics and log management systems,
that will allow them to find the breach, he said.
While RSA has remained silent about what was stolen, when the data breach
occurred, how attackers got into the network and how long the breach lasted,
the company recommended that customers harden their other security layers in
case of a follow-up attack.
"A layered security approach
is always best," said Avivah Litan, a distinguished analyst at Gartner. While
one-time password [OTP] systems "raise the bar for the criminals," they were
vulnerable to compromise even before the RSA breach, she said. "Maybe this incident will wake up companies to the
need for more controls than just OTP authentication," she said.
Assuming that the attackers
stole the seed values used to generate the one-time passwords on the SecurID
tokens, a potential scenario has cyber-criminals leveraging social engineering
and spear phishing tactics to obtain the serial number of the SecurID token.
With that serial number and seed values in hand, attackers can masquerade as
the user to log in to secured networks, such as those in financial institutions.
The scenario isn't all that
dire: It just means that RSA customers will need to replace the tokens, according
to Kyle Adams, architect and lead developer at Mykonos Software. "The actual
two-factor authentication technology remains secure, and it's just some key
information that was lost," Adams told eWEEK. If customers feel that SecurID is compromised,
they are likely to replace it with competitor products. In fact, CA has
announced that SecurID customers can trade in their RSA tokens in a one-for-one swap for CA's own
authentication platform, the CA ArcotID Secure Software Credentials.