Kevin Doyle, CISSP, CISA, CISM, ISSMP, Reclamere
RSA, the Security Division of EMC, recently revealed that they were the target of an “Advanced Persistent Threat” (APT)” and that information extracted from their systems during the attack was related to RSA SecurID two-factor authentication products. For additional information about the attack, please refer to an open letter on the RSA Security website (www.rsasecurity.com) from Arthur W. Carviello, Jr., Executive Chairman.
In evaluating the incident, two questions come to mind about the available information on the exploit:
• What is an “Advanced Persistent Threat”?
• How does this attack impact the organizations depending on the SecurID to access their systems and information?
Advanced Persistent Threat
This type of attack is carried out by attackers who have gathered information about their target, in this case being RSA Security.–in. Intelligence could be collected through RSA Security internal computer technologies and tools, but also through techniques such as social engineering, dumpster diving, or even tactics such as wire taps. (It is important to note that the details of the attack on RSA Security have not been disclosed. The techniques mentioned are simply methods that could be used in this type of attack.)
Another characteristic of an APT is the attacker(s) give priority to a particular task, such as keying in on a certain system. Attackers do not randomly throw different exploits at an entire network. This tactic helps keep the attack “under the radar”, unlike a large scale attack that is typically detected and stopped rather quickly.
Finally, the attacker(s) who carry out an APT are coordinated with specific objectives. They are typically highly skilled, not “script kiddies” or “click kiddies”, and they take an organized approach to their exploit.
Impact on RSA Customers
This attack targeted the highest profile product of the company and trade secrets were compromised. Trade secrets related to that product were the target of this attack. It is not something that should be taken lightly by RSA customers. I would go as far as to say that when I hear the name RSA, I would think of the two-factor authentication tokens.
Also, because the individuals who carried out this attack appear to have spent a good deal of resources, it would be logical to conclude that they want to gain something from their efforts. One possibility is to be able to create an exploit code to attack more high profile clients who use the RSA SecurID tokens to access highly sensitive information or resources. Another possibility is extortion, but since the attack is now public, that scenario isn’t very likely, unless something is going on behind the scenes. In any event, the information they obtained is “out there” and poses some level of threat to RSA customers.
In Mr. Carviello’s open letter, RSA states, “While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”
If I am a customer of RSA, I want to know more about what they mean by that statement and exactly how are they going to make it good for their paying customers. If this was the coding behind the product, are they making changes to the coding that would prevent the attackers from using the information they were able to access? Specifically, what information that was stolen and/or accessed that could reduce the effectiveness of the two-factor authentication? What does RSA mean by “part of a broader attack”?
No one should expect that a target of such an attack should disclose every detail to the general public about how the incident occurred. However, RSA has a much higher level of obligation to their customers who entrust them with a purchased product. Good business dictates that RSA must restore security and peace of mind about their product to the same level as when the customers purchased the product.
 RSA has issued nine recommendations to its customers in light of the incident. For a list of these recommendations, reference the following link: