RSA SecurID: Hacked but Not UnWitnessed

Enterprises must migrate to newer security models in the never-ending fight against increasingly sophisticated hackers. Here, Knowledge Center analyst Jack E. Gold discusses how real-time monitoring and analysis played an important role in last month's RSA SecurID data breach.

/images/stories/knowledge_center/analysts_corner.gifIt's now been a little over four weeks since RSA SecurID, the famed two-factor authentication user token system, was hacked. It had long been assumed that this system was hack-proof given its record of security enablement at some of the largest corporations and government agencies. Yet, in the end, like most security breaches, it was compromised as a result of human error and not holes in the technology.

It's important to note exactly what happened as it indicates why current user security models are flawed. This is why I recommend implementing new, comprehensive models just emerging that will enable the next generation of protection in an increasingly sophisticated world of cyber attacks on companies and individuals. While all the details are not yet public (RSA rightly wants to keep some of the lower-level details private to prevent copycat attacks), enough of the details have surfaced that companies can learn from them and hopefully prevent similar attacks.

So, what happened? In a nutshell, a phishing e-mail message was sent to some lower-level personnel entitled "2011 Recruitment Plan." It included an Excel spreadsheet with a zero-day exploit Flash file. One or more of the recipients opened the file, thinking it was legitimate. The exploit then retrieved the user ID and password and established a connection on the SecureID server. There it gathered a number of data files and transferred them to a compromised staging server at a hosting provider. From there, the data was transferred to a remote server.

What is important to note is that RSA was able to catch this breach in process and halt it in near real time (although it was not able to prevent at least some sensitive information from escaping). This extraordinary defense was mounted because RSA was not just looking at log-in authorization and credentials, but was monitoring and analyzing all traffic exiting its network. As a result, RSA was able to determine that this connection was making unauthorized use of sensitive data, and was able to rapidly cut off access.