Free Research Paper About Rsa Securid Breach
RSA SecurID is an authentication mechanism created by RSA, a division of EMC, for executing validation for users on a network resource. RSA experienced an advanced persistent attack in March 2011 by anonymous hackers. The intention of the attack was to gain access to confidential company data. The attackers collected public information about employees then sent them phishing emails embedded with an Adobe flaw exploit. The flaw installed a Trojan virus into the system that enabled remote access through a Poison Ivy variant. Using remote access, the hackers then initiated digital shoulder surfing to reveal employee responsibilities and acquire usernames, passwords, domain admins and service accounts. Using high-value administrative access credential, the attackers opened the target servers, copied the data and moved it to internal staging servers then external staging servers located on compromised devices at a hosting provider. The attack compromised the integrity of sensitive data and losses of confidential information. Several security measures have been explored to prevent future attacks.
A cyber-attack is a deliberate offensive maneuver deployed by an individual or organization on network infrastructure, computer information systems, or personal computers. The purpose of a cyber-attack is mainly to steal or destroy important information, alter data or computer code, and deny services . The RSA SecurID system was hacked on 17th March 2011. RSA SecurID is a mechanism created by RSA, a division of EMC, for executing validation for users on a network resource. The RSA system breach was an advanced persistent attack that was carried out by a group of anonymous hackers. The hackers gained access to RSA’s system by sending phishing emails to a small group of employees. The emails contained an Excel spreadsheet that hid a Trojan virus that allowed the hackers to gain remote access to the system. Targeted files and privileged data was stolen and routed to an external server on a hosting provider. The paper will study the anatomy of the security breach on RSA, the impact it had on the company and necessary security enhancements .
Type of Breach
The cyber-attack on RSA has the attributes of an advanced persistent threat (APT) attack. An APT attack is a network security breach where the attacker gains access to the system and retrieves information undetected for an extended period. APT attacks target companies and organizations with high-value information. The objective on APT breach is to steal privileged information rather than to cause damage to the organization’s IT infrastructure. An APT attacker gains access to a system by sending spear phishing emails with target-relevant information. To maintain access without detection, the attacker continuously rewrites code and employs sophisticated evasion procedures. Detecting APT attacks is difficult but administrators can monitor anomalies on outbound data. APT attackers usually cover their tracks in order to maintain access to the system for future initiatives .
Execution of the Attack
First, the attackers gained access to employee and low-profile RSA SecurID users’ information. The publicly available information was collected from social media sites and online resources. The employee information collected included full names, contact details, job details, and job description. After collecting email contacts, the hackers sent two different sets of phishing emails to the employees over two days. The subject line of the emails was ‘2011 Recruitment Plan’. The emails had an attached Microsoft Excel spreadsheet named 2011 Recruitment plan.xls. The phishing emails were immediately directed into the junk mail folder . However, some employees retrieved the file from the junk folder and opened the excel file. The Excel file contained an embedded zero-day exploit Adobe flaw, (CVE-2011-0609).
After the Adobe Flash exploit, the Trojan downloaded a Poison Ivy variant into RSA’s system. Poison Ivy is a tool that enables remote administration access. The Poison Ivy uses a remote connect mode that programs the system to reach out the control and command rather than the reverse. The poison Ivy variant used in this case was hard to detect and track. Having established remote access, the hackers then initiated digital shoulder surfing to reveal employee responsibilities and their level of access to the information system. The hackers then infiltrated the internal network gaining both non-IT and IT personnel network access credentials that included usernames, domain admin, passwords, and service accounts. The attackers moved up the RSA command chain until they attained the system access credential of system administrators and process experts .
The attackers then escalated the attack into the targeted system by using the high-value network access information of administrative users. The attackers opened the target servers, copied the data and moved it into internal staging servers. The files were then grouped, compressed, and encrypted for the extraction process. File transfer protocol was then deployed in moving the password-protected compressed files into external staging servers located on compromised devices at a hosting provider . The hackers then removed the data from the external compromised host into their storage resource in order to erase any traces of the attack. Most of the data stolen was about the company’s database mapping token serial numbers for the secret token seeds. RSA detected the attack through its Computer Incident Response team and NetWitness while in progress. Owing to the detection, the firm was able to stop further breaches to their system. However, the detection was not timely enough to prevent the loss of confidential company data to the attackers .
Impact of the Attack on Information Security
The APT attack on RSA’s system had devastating effects on the operations of the organization. Confidentiality is a set of rules that places restrictions on access to sensitive information . The security breach caused the retrieval of confidential RSA data from the system by the hackers. Investigations into the attack revealed that SecurID seeds had been stolen. Integrity encompasses maintaining the consistency, trustworthiness and accuracy of data over its life cycle. The unauthorized access of classified company data and the subsequent transfer to external servers compromised the integrity of RSA’s information. Consequently, some of the users canceled their association with RSA and moved to rival companies. Availability is an attribute of a system to provide information resources when required. The attack was not a denial-of-service, therefore there was little effect on resource availability but resulting upgrades to the system caused unavailability to various RSA resources.
Authentication is the process of determining whether an entity is what it claims to be, usually based on a username and password. The attackers gained access to employee usernames, domain manes, and passwords thereby bypassing the authentication process. The stolen information caused an infringement on RSA’s database for serial numbers. The mechanism that links a person’s token serial number to their individual seed was also compromised. The breach on the serial numbers was estimated to affect around 40 million users who were clients for the SecurID mechanism. Non-repudiation is a mechanism for guaranteeing message transmission between parties using encryption. RSA’s non-repudiation procedures failed as the attackers accessed and transferred data from company servers from external locations. The attack also made a dent in RSA’s reputation as a trusted IT security provider .
The attack forced the company to re-issue millions of SecurID tokens to clients. The re-issuing of tokens was a big blow to the company’s financial resources. The company began the overhaul of the manufacture, architecture and distribution of the security token. The company also offered additional security monitoring for clients who used the system for web-based financial transactions . The re-issue cost clients using SecurID tokens millions of dollars in the staff cost of managing the re-issue plus other on-costs. The breach led to resulting attacks on the L-3 Communications and Lockheed Martin companies. L-3 Communications reported a minor security breach in their system that was most probably orchestrated using information gained from the RSA attack. In May 2011, stolen SecurID data was used to stage a cyber-attack on Lockheed Martin. The company was able to thwart the attack through aggressive security detection and prevention procedures. Banks, who make up a majority of RSA’s client base, had to spend tens of millions in to replace security identification tokens that left their clients vulnerable to spying . RSA had to spend a huge chunk of their revenue to upgrade their security systems and network infrastructure.
Recommended Security Improvements
RSA need an upgrade to the network security algorithm in order to guarantee data confidentiality. Installing an advanced optimized encryption mechanism to the system will ensure that information is only accessed by authorized users and integrity and confidentiality is restored. To ensure confidentiality, the company should enforce access control lists and file permissions to restrict access to sensitive data . To guarantee availability, the company should do a regular backup of primary data and implementing high-availability for critical information. All employees should go through training on computer security to ensure that APT attackers do not gain access to the system through social engineering. RSA should also employ vulnerability detection and prevention strategies, upgrade security patches and frequently test the security position of the system. Multiple layers of authentication and fraud detection must be utilized to prevent future attacks .
A cyber-attack is a deliberate offensive maneuver deployed by an individual or organization on network infrastructure, computer information systems, or personal computers. The 2011 cyber-attack on RSA was an advanced persistent attack. The attackers gained access to the system through spear phishing emails that contained a Trojan virus. The virus installed the Poison Ivy variant into the system to gain remote administration access. By gaining access to high-value access credentials, the attackers were able to access and steal restricted data. The attack compromised confidential data, caused revenue losses and resulted in attacks on SecurID users. The company should install optimized encryption mechanisms, train employees on computer security, and employ attack detection and prevention strategies.
Ashford, W. (2011, April 4). RSA Discloses Phishing-attack Data Breach Details. Retrieved 2015, from Computer Weekly: http://www.computerweekly.com/news/1280095593/RSA-discloses-phishing-attack-data-breach-details
Hsiao, D., Kerr, D. S., & Madnick, S. E. (2014). Computer Security. Academic Press.
Leyden, J. (2011, April 4). RSA Explains How Attackers Breached its Systems. Retrieved 2015, from The Register: http://www.theregister.co.uk/2011/04/04/rsa_hack_howdunnit/
Peltier, T. R. (2013). Information Security Fundamentals. CRC Press.
Schwartz, N. D., & Drew, C. (2011, June 7). RSA Faces Angry Users After Breach. Retrieved 2015, from The New York times: http://www.nytimes.com/2011/06/08/business/08security.html
Theriault, C. (2011, April 4). RSA Release a Few Details on their Big Security Breach. Retrieved 2015, from NakedSecurity: https://nakedsecurity.sophos.com/2011/04/04/rsa-release-details-on-security-breach/