Greater 'depth' needed to ward off APTs

The recent breach suffered by RSA was a "one-off compromise" that was hard to detect, note security experts, who renewed calls for organizations to exercise greater e-mail vigilance and multi-layer "defense in depth" protection.

Earlier this week, the security vendor revealed in a blog post that spear-phishing, a form of targeted phishing attack, was employed by attackers to carry out the first level of intrusion. Cybercriminals successfully stole information related to the SecurID authentication token in the attack, which was first announced last month.

RSA said cybercriminals sent two different e-mail messages containing an Excel attachment to two groups of unsuspecting employees over a two-day period, with the topic "2011 Recruitment Plan". Uri Rivner, head of new technologies in consumer identity protection at RSA, explained in the blog post that the file exploited a hole in Adobe Flash to install a Trojan that allowed the attacker to remotely take control of the computer.

The security division of EMC labeled the attack an advanced persistent threat (APT), similar to the Stuxnet and Operation Aurora incidents.

Vigilance from users, organizations
Commenting on the RSA breach, Paul Ducklin, Sophos' head of technology for the Asia-Pacific region, stressed that users need to be more vigilant about their e-mail habits.

Trusting Web links and e-mail instructions without much thought, he pointed out, is akin to inviting a stranger into one's home. "You open the door, the stranger has no identification or authorization. You didn't invite them, yet they're asking you to go to your home computer and do exactly the same things that the spear-phisher asked online.

Would you be prepared to follow their instructions, just because they were well-dressed, polite and claimed to know you?" he questioned in an e-mail interview with ZDNet Asia.

While RSA has not revealed what was comprised, talk was rife that databases containing unique numbers to generate one-time passwords for each SecureID token, had been accessed by the hackers. These passcodes, which are derived from a blend of a "secret seed" and the time of day, are used in two-factor authentication. About 40 million of the hardware token has been deployed globally, while 250 million software versions are in use.

Ducklin believes it is mere speculation that these numbers have been stolen.

Victor Keong, partner for Performance and Technology at KPMG Singapore, noted in an e-mail that token users should only be worried if the RSA token-generated codes are their only means of authentication.

"The ability to predict token codes should not be underestimated," he said. "However, despite the information the attackers might have stolen from RSA, an attacker would still have to overcome a few more hurdles, before an attack can be successful. They would need to know either a sequence of past token codes, or the serial number of the physical token."

An industry expert, however, told ZDNet Asia's sister site CNET that the algorithm mapping the serial number of a token to the seed was stolen. Chris Wysopal, CTO at application security firm Veracode, added that "the serial numbers used by an organization might not be well protected."

Ovum's principal analyst Graham Titterington added in an e-mail interview: "I believe that RSA has taken action to replace the affected seeds and so the vulnerability should be short lived."

Layered approach to security
KPMG's Keong also noted that such attacks are usually "disguised" and victim enterprises are unaware until actual loss is suffered.

"This is often the biggest issue with APT. Most victims do not know when an attack has occurred until they have suffered some form of a loss, either financial or privileged information leakage," he explained.

Ovum's Titterington concurred, adding that enterprises can use security information and event management (SIEM) products as an alert system. Blocking or detection of improper movement of data can be achieved with data leakage prevention products but are not easy, he said.

He recommended that RSA customers check their system logs for unusual system accesses during the period that the seeds were compromised, if they suspect that their data might be breached.

When quizzed on the feasibility of alternative security measures such as additional firewalls and tokens for virtual private network (VPN) implementation, Titterington dismissed them as "the wrong emphasis".

He argued: "Tokens can get compromised and lost. We have too many firewalls. We need a more agile approach to defending against threats."

Sophos' Ducklin advocated a "defense-in-depth" strategy to provide guard against spear-phishing and APTs."If the company practises multiple levels of protection and security, then it becomes much more difficult for outsider to carry on their attacks without triggering some sort of alarm at some point."

"A well-protected organization has many defense points. A good e-mail security gateway, and a sensible e-mail policy, might have blocked the unusual attachment in the first place," he explained.

Keong from KPMG added that security vendors should also beware of APTs going forward.

"If RSA was successfully compromised via APT, there is a high probability that similar attempts at other security software companies will also occur," he said.