The cyber squad caught off guard
Imagine this management nightmare: the very product you sell to protect other people's computer systems itself falls prey to a cyberattack.
That's what happened to security provider RSA in March 2011.
The company said an 'extremely sophisticated cyberattack' against its computer systems had compromised the software behind the firm's widely used SecurID authentication devices, which help protect much of the world's critical information and infrastructure. The SecurID tokens generate a six-digit combination of numbers every 60 seconds to serve as a user's unique password for logging into a heavily guarded computer network, banking system or the electronic security scheme of a building.
RSA's admission marked a rare public disclosure by a top specialist in security technologies of being hacked. But the embarrassing security breach forced RSA, the security division of data storage giant EMC, to replace virtually all of the 40 million tokens used by about 25,000 organisations worldwide. The total cost of reparations made by Massachusetts-based RSA to its customers last year reached US$66 million.
About three months after the cyberattack, RSA executive chairman Art Coviello said the hackers' motive was 'to obtain an element of security information that could be used to target defence secrets and related intellectual property', rather than financial gain. In an open letter to customers, Coviello said: 'We were able to confirm that information taken from RSA in March had been used as an element of an attempted broader attack on Lockheed Martin, a major US government defence contractor.'
Lockheed Martin said at the time that it thwarted that attack.
The security breakdown at RSA appeared to be part of an unprecedented series of hackings against varied and high-profile targets in the first quarter last year. The other highly publicised attacks included those at Google, Sony, Nintendo and e-mail marketing services provider Epsilon.
Coviello described the hacking experienced by RSA as that of an 'advanced persistent threat', which is industry jargon for a long-term pattern of sophisticated computer attacks against a specific target by a well-funded and highly resourceful group, such as a foreign government.
At a United States Senate hearing in March this year, National Security Agency director general Keith Alexander pointed out that China was responsible for the attack on RSA. Chinese Minister of Defence General Liang Guanglie denied that claim during his recent visit to The Pentagon, the headquarters of the US Department of Defence in Virginia. 'I can hardly agree with the proposition that the cyberattacks directed at the United States are directly coming from China,' Liang said.
Despite the serious hit to its reputation, RSA managed to increase revenue last year by 14 per cent to US$828.2 million from a year earlier. It recently reported a 19 per cent rise in first-quarter revenue to US$206.5 million from the year-earlier period
In an interview with the South China Morning Post, Coviello discussed how RSA has tried to rebuild customers' trust, restore the pride of its workforce and develop better technologies and measures against the world's most pernicious hackers.
What lessons did the company learn from last year's attack?
I have to say that it was a humbling experience. I think it made us more aware of the responsibility we have to our customers. It gave us a sense of urgency, as never before, to redouble our efforts and improve our capabilities. We had a rash of press as a result of the breach, so we clearly had to do a lot of outreach to customers.
That had an impact on our business worldwide. We were criticised for not sharing more information [about the attack]. The difficulty in a security breach is sharing enough so that customers have the ability to mitigate the problem immediately, but not sharing so much that you give ammunition to other hackers to take advantage of the situation.
Have more stringent security policies been put in place?
That is par for the course. EMC has a very strong security system. One of the ironies from the attack was that a few days before it happened I signed an agreement to acquire a company called NetWitness. It provides the continuous-monitoring technology that was already deployed at EMC. It was instrumental in helping us see the attack in progress. We have been able to use that acquisition to our advantage to support our customers moving forward.
What we also learned is to deploy that technology more pervasively within our own enterprise. Another lesson learned concerns RSA's Security Information Event Management product that we kind of adjusted the dials to look for certain things.
There is also a whole host of processes related to things around systems administrators and creating better security. Hackers go after the systems administrators to get more expansive reach into an enterprise.
How did management boost employee morale after the breach?
It was remarkable. There was no finger-pointing as a result of the breach. There was a universal recognition of how well EMC, from the board of directors all the way down, supported us and how all of the RSA employees came together. In this day and age, a company has to recognise that there is a very high potential it could be living in a state of compromise. We generally say this to our customers.
The ideal is to have the capability to shrink the window of vulnerability if you are compromised. So it was an exhausting year because all employees had to do double duty in the front lines.
Everyone was reaching out to customers, making sure they understood what they needed to do. We did this while keeping our ship moving in the right direction. The effort extended beyond our employees because we have a substantial distribution and reseller community who was right there with us.
What is RSA's approach to advanced persistent threats?
Advanced persistent threats, or APT, has become one of those terms perceived as an urban legend. Some people think it's a term invented by the security industry to sell more products, but I assure you the APT threat is real. It is not a piece of malicious software, but there are elements of malware to it. APT refers to a whole approach by an attacker. It starts with doing a tremendous amount of research on targets. It is well-funded, with enough resources and people that it can go slowly when pushing an attack forward. Nation states fit the APT profile because they have the most capability to spend the time, effort and money to drive a targeted type of attack. The malware it uses might be customised for a particular target.
In our case, there was a 'zero-day' attack [that used a previously unpatched hole] in Adobe Flash that was buried inside a Microsoft Excel spreadsheet. That was what gave the attacker entree into our infrastructure. [A zero-day attack exploits a software bug that was unknown to others or the program's developer.]
What we see is that the old perimeter defence is no longer working because there are now so many openings to that perimeter. So we're taking a more intelligence-driven approach to security, as opposed to just erecting higher and higher walls and hiding behind them.