An Analysis of the Security breach at · Web viewAn Analysis of A Security breach. at RSA Security . Jimmy Kenny. A00177486. An Analysis of A Security breach. at RSA Security

AN ANALYSIS OF A SECURITY BREACH AT RSA SECURITY

Jimmy KennyA00177486

Security Assignment Jimmy Kenny A00177486

Contents

Introduction............................................................................................................................. 2

Background.............................................................................................................................. 3

RSA Security......................................................................................................................... 3

RSA SecurID..........................................................................................................................3

The Security Breach..................................................................................................................4

RSA Initial Actions.....................................................................................................................5

The Final Costs......................................................................................................................... 6

What did RSA do to improve their Security Procedures?.........................................................7

References................................................................................................................................9

1


Introduction

On March 17th, 2011 a sophisticated cyber-attack was launched on RSA Security, a division of

EMC Corporation, that extracted information related to its SecurID authentication

mechanism. These mechanisms (or tokens) are used in two-factor authentication systems

and at the time it is believed there were 40 million of these tokens being used to securely

access corporate and government networks. The attack was a spear phishing exercise with

two separate groups working together, it is believed, with a foreign government. In an open

letter to its customers in June 2011 the company’s President, Art Coviello, stated that:

“Certain characteristics of the attack on RSA indicated that the perpetrator's most likely

motive was to obtain an element of security information that could be used to target

defence secrets and related IP, rather than financial gain, PII, or public

embarrassment.”

In March 2012 the director of the U.S. National Security Agency, General Keith Alexander, in

a hearing before the Senate Armed Services Committee said that China was the main

suspect behind the security breach.

Although the company maintained no customer’ networks were breached they decided to

replace all the SecurID mechanisms in circulation. It has been estimated that it cost RSA over

$66 million to replace and distribute new SecurID tokens to its customers. The cost to these

customers to re-distribute the tokens to their own customers is thought to be in the $100s

of million.

This report will outline how this security breach happened, how RSA dealt with it, what

effects it had on the company and what improvements in security procedures the company

have made or should make in order to avoid a similar situation occurring.

2


3


BackgroundThis section will firstly give a brief corporate overview of RSA Security and how their SecurID

tokens work.

RSA Security

In 1982 RSA was founded by Ron Rivest, Adi Shamir and Len Adleman (they also developed

the RSA Encryption Algorithm). It provides security solutions to corporations and

governments around the world. These solutions include identity assurance and access

control, encryption & key management, compliance & security information management

and fraud protection. RSA makes the login security systems used by 95 of the Fortune 100

companies (Fowler, 2013).

In 2006 it was acquired by EMC Corporation for $2.1 billion. EMC is one of the world’s

largest providers of data storage systems and employs over 60,000 with reported revenues

of $21.7 billion in 2012 (EMC, 2014). As well as RSA Security its subsidiaries include VMware

and Iomega. One of RSA’s main products is the SecurID authenticator.

RSA SecurID

This authentication mechanism consists of a ‘token’ either

hardware or software. This token is assigned to a computer

user and is used to generate a 6-digit authentication code

using an algorithm that is present in all tokens which will

allow access to a network. Each token also has a unique seed number and a clock. The

algorithm processes the seed number and the current time to generate the unique 6-digit

code displayed by the token. A new code is generated at fixed intervals usually every

minute.

An RSA SecurID server is connected online to whatever system the user is logging into. This

server also stores the seed number of the users token and uses the same algorithm to

4

The SecurID ‘hardware’ token


generate a code. When the user wants to log in to the system he/she generates a code using

the token and enters it in the system (usually in conjunction with their User ID and PIN). The

RSA server simultaneously generates a code and if it matches the users then they are

authenticated and can access the system.

The Security BreachThe cyber-attack on RSA Security took place on March 17 th, 2011. On April 1st Uri Rivner,

head of new technologies and consumer identity protection, at RSA, gave details of the

attack in a blog entry which is summarised below.

Some time before the March 17th attack it is believed the perpetrators would have used

social media to obtain publicly available details of RSA employees – names, job titles,

contact details etc. These details can make an email from a hacker look genuine. In this case

two low level groups of employees were targeted with two different phishing emails. The

email’s subject line read ‘2011 Recruitment Plan’ and had attached an Excel spreadsheet

titled ‘'2011 Recruitment plan.xls’. The email looked like an internal message and at some

point one employee retrieved it from their Junk mail folder and opened the Excel file.

The spreadsheet hid an embedded Adobe Flash vulnerability (CVE-2011-0609) – a zero-day

exploit that installed a backdoor to inject malware into the computer. The attackers were

5

Anatomy of the AttackSource: https://blogs.rsa.com/anatomy-of-an-attack


then able to gain control of the computer using a remote administration tool (a variant of

the Poison Ivy Trojan). The access credentials of the employee were then used as a stepping

stone to obtain access to other user accounts with higher privileges. Once the desired

privileges were obtained the hackers were able to target the servers they were interested

in. Data was removed from these servers and moved to internal staging servers where it

was aggregated, compressed and encrypted for extraction. FTP was then used to transfer

many password protected RAR files to an outside staging server at an external,

compromised machine at a hosting provider. The files were then pulled by the attackers

and removed from the external server to eliminate traces of the attack.

RSA’s Initial ActionsOn the day of the security breach, Thursday, March 17 th 2011, RSA posted a letter on its

website from its chairman, Art Coviello. The letter confirmed that the company had suffered

an attack that “is in the category of an Advanced Persistent Threat (APT)”. The letter gave no

details about the security breach itself but Coviello went on to say “Our investigation also

revealed that the attack resulted in certain information being extracted from RSA’s

systems.” He did not specify what kind of data was stolen but only that it “could potentially

be used to reduce the effectiveness of a current two-factor authentication [SecurID]

implementation as part of a broader attack.” He also said there was no current indication

that the stolen data was used to attack any of its customers. Mr Coviello went on to say that

“We took a variety of aggressive measures against the threat to protect our business and

customers, including further hardening of our I.T. infrastructure.” The company urged their

customers to follow a variety of security best-practices such as enforcing strong password

and pin policies, educating employees on avoiding suspicious emails and to “limit remote

and physical access to infrastructure that is hosting critical security software” (Goodin,

2011). The company also submitted a filing to the Securities and Exchange Commission

indicating that it did not expect the security breach to have any financial impact (Markoff,

2011).

Coviello was criticized for the vagueness of the details of the letter by security experts

(Goodin, 2011) and it is not clear what details of the attack were given to RSA’s customer at

6


this point. There was a lot of concern expressed that the breach could pose a serious threat

to countless businesses and government agencies that used SecurID authentication.

It was not until April 1st , 2011 that the company released specific details of the attack. In his

blog entry titled Anatomy of an Attack on the RSA website Uri Rivner, Head of New

Technologies, described how their security was breached (Rivner, 2011). While giving a good

account of the attack itself the article did not state exactly what was taken or how RSA

customers could possibly be affected. Rivner did not address what the company would do to

counter any similar attacks in the future.

In June 2011 RSA’s President Art Coviello issued another open letter to its customers giving

an evaluation of the situation at that time (Coviello, 2011). He stated he was confident that

customers who implemented RSA’s remediation steps “can be confident in their continued

security”. He went on to say that the most likely motive for the attack was “to obtain an

element of security information that could be used to target defence secrets and related

IP”. He confirmed that on June 2nd there had been an attack on Lockheed Martin, a major

defence contractor, using data that had been taken in the original attack on RSA but the

attack had been prevented. He maintained that the only confirmed attack using the

extracted data had been on Lockheed.

Though the company had always maintained that their SecurID tokens were not

compromised, in order to reinforce confidence in the product he offered to replace tokens

“for customers with concentrated user bases typically focused on protecting intellectual

property and corporate networks.” He promised to work with all customers to assess their

ongoing needs and to tailor options to suit these requirements. He promised continued

investment in RSA’s SecurID and their risk-based authentication technologies.

The Ultimate CostOver the course of the next year RSA eventually had to re-issue new SecurID tokens to all its

customers. Whether this was because of doubts over the tokens’ security integrity or

whether it was to re-enforce confidence in the product is not clear. But confidence in the

product must surely have had to be bolstered. It cost RSA $66 million approx. to replace the

token for all its customers (Fowler, 2013). But the actual cost would have been more when

7


you consider the time and resources spent appraising its customers of the situation, the

immediate actions that had to be taken to thwart the attack and the subsequent measures

needed to develop new software to prevent future attacks (SecureEnvoy, 2012).

There were also significant costs borne by RSA’s customers. At that time there were about

40 million tokens in use. About 50% of banks in the US that used security tokens used RSA’s

SecurID. It was estimated that the costs involved in distributing the new tokens to their

customers would be between $50 and $100 million. Some of the biggest military contractors

in the US used SecurID, Lockheed alone had to distribute new tokens to 45,000 of their

employees. (King, 2011)

But maybe the biggest cost has been to the loss of trust of the product or worse the

confidence of customers in the company itself. It is difficult to ascertain the number of

customers RSA lost or potential new customers who looked elsewhere for their secure

authentication needs as a result of the security breach but it must have been significant.

One of RSA’s biggest rivals with a similar product is Vasco Data Security International Inc.

whose stock rose by 36% on the NASDAQ over the two weeks following the disclosure of the

security breach. EMC, RSA’s parent company, stock rose by just 1.8% over the same period

(King, 2011).

Though most of the large corporations and government agencies who had already invested

significantly in RSA’s two way authentication products stayed with the company it would

have been a lot easier for smaller companies to switch to companies providing alternative

technologies.

What did RSA do to improve their Security Procedures?Because of the nature of their business RSA have not revealed technical details of any

changes or improvements they have made in their own security procedures. However in an

interview with the Wall Street Journal in February 2013 Art Coviello, executive chairman of

EMC, explained that these types of attacks are very difficult to trace and that they never

actually received confirmation as to who the attackers were. Two groups had attacked them

simultaneously, one was a lot more visible than the other. He went on to say that “Since

8


that time, we have developed more powerful capabilities to spot hidden patterns—the faint

noises that are actually an attack” (Fowler, 2013).

He talked about a new model for security that he called an intelligence-driven model. “It is

based on risk and new tools that are behaviour based and predictive. It is also based on a

big-data application so you can spot an attack in progress, so you can do a better job

responding to it” (Fowler, 2013).

RSA were said to be replacing their hardware tokens with software tokens which makes it

easier for their customers to build SecurID into mobile apps so that users can use their

smartphones for authentication. Mobile app authentication would also allow the company

to incorporate geolocation data and biometrics into the authentication process. (Marcia

Savage, 2012)

But perhaps the best thing RSA could do is to provide its employees with training and a

process to be able to spot and deal with malicious emails. If that employee hadn’t opened

the ‘Recruitment Plan’ attachment in the first place the hackers would not have been able to

breach RSA’s security. As in most cases of security breaches the human element is the most

vulnerable access point.

9


ReferencesCoviello, A., 2011. Integrity Solutions. [Online]

Available at: http://www.integritysolutions.ie/industry-news/rsa-open-letter.php

[Accessed March 2014].

EMC, 2014. EMC Corporate Profile. [Online]

Available at: http://uk.emc.com/corporate/emc-at-glance/corporate-profile/index.htm


Fowler, G. A., 2013. The Wall Street Journal. [Online]

Available at: http://online.wsj.com/news/articles/SB10001424127887323384604578328523049037156


Goodin, D., 2011. www.theregister.co.uk. [Online]

Available at: http://www.theregister.co.uk/2011/03/18/rsa_breach_leaks_securid_data/


King, R., 2011. Bloomberg. [Online]

Available at: http://www.bloomberg.com/news/2011-06-08/emc-s-rsa-security-breach-may-cost-bank-customers-100-

million.html


Marcia Savage, M. S. M. R. W., 2012. SearchSecurity - TechTarget. [Online]

Available at: http://searchsecurity.techtarget.com/magazineContent/The-RSA-breach-One-year-later


Markoff, J., 2011. The New York Times. [Online]

Available at: http://www.nytimes.com/2011/03/18/technology/18secure.html?_r=0


Rivner, U., 2011. Anatomy of an Attack. [Online]

Available at: https://blogs.rsa.com/anatomy-of-an-attack


SecureEnvoy, 2012. SecureEnvoy. [Online]

Available at: https://www.securenvoy.com/blog/2012/04/27/the-rsa-security-breach-12-months-down-the-technology-

turnpike/


10

Documents

An Analysis of the Security breach at · Web viewAn Analysis of A Security breach. at RSA Security . Jimmy Kenny. A00177486. An Analysis of A Security breach. at RSA Security