-
Posts filed in Culture Change
- Business at risk
- Citadel in the news
- Citadel Information Security Guides
- Citadel: Guide to Blog
- Citadel: Thinking about Security
- Cloud Security
- Combatting Cybercrime
- Consumers at risk
- Cost of Cybercrime
- Cost of Piracy
- Credit card fraud
- Culture Change
- cyber security learning community
- Cyber Security Management
- Cyber War
- events
- Financial systems security
- Future of Cyberspace
- Healthcare
- Identity theft
- Information at Risk
- Insurance
- Internet badlands
- ISSA-LA
- Law Firms
- Legal
- Miscellany
- mobile banking
- mobile internet
- Mobile Security
- national security
- Not-for-Profit
- Online Privacy
- OWASP
- Privacy Matters
- Ray of Sunshine
- School security
- Security Alert: Vulnerability Management
- Security management
- Security Research
- Security Surveys
- Social Engineering
- Social networks
- Virtual Currency
- Vulnerability and Patch Report
Information Security Management Lessons from the RSA Breach
Last month witnessed the security breach of RSA Security, a leader in the information security industry, whose products are used to secure financial and other high risk transactions. The breach at RSA contains important security lessons for all organizations. (For an account of the attack, see cnet news.)
The success of the cyber attack at RSA was the result of two specific weaknesses, one human and the other technical.
The human weakness is curiosity. We are a curious species. Our human curiosity is often a good thing. It’s the starting point for our creativity. There would be no computers where we not curious; indeed, it’s unlikely there would even be a wheel.
But sometimes, as the saying goes, curiosity can kill the cat. That’s what happened in the RSA breach. An employee at RSA received an email with an attached Excel spreadsheet provocatively entitled “2011 Recruitment plan.xls.” Curious, he opened the attachment—just as the cyber criminals behind this attack expected. This set the stage for the cyber criminals to exploit the technical weakness.
The attachment wasn’t just an Excel spreadsheet. It had been booby-trapped to ‘explode’ when it was opened, invisibly installing a Trojan horse on the user’s computer. The Trojan horse—a particularly malicious type of malware program known as an Advanced Persistent Threat gave the cyber criminals complete access to the employee’s computer, a beachhead from which they successfully launched their attack on RSA’s network. (ISSA-LA’s monthly meeting in February included a presentation on Advanced Persistent Threats by David Nardoni and Jeff Dye. That presentation can be found here.)
If you work in a corporate environment, your computer may very well have been ‘locked down’ by the IT Department to prevent you from installing your own programs. If it’s not, it should be.
So how did this booby-trapped Excel spreadsheet manage to install a program on this employee’s computer? After all, RSA is one of the premier information security companies in the world. We can be pretty certain that their employees workstations are well-locked down.
This gets us to the second weakness, the technical one. The software industry’s inconvenient truth is that every complex computer program is flawed. It’s these software flaws—programming errors—that let cyber criminals booby trap seemingly innocent files, like the Excel spreadsheet at RSA.
The cyber criminals who successfully breached RSA had found a flaw in Adobe’s popular Flash program. Adobe Flash is well known as having very critical security flaws, forcing Adobe to regularly issue upgrades that fix the flaws they know about. Indeed, as I write this Adobe has announced the discovery of a new zero-day vulnerability which they expect to patch this week. (We notify readers of updates for Adobe Flash on our Weekly Patch and Vulnerability Report.)
The problem with the flaw that the cyber criminals used in the RSA attack was that—at the time of the attack—there was no upgrade that would fix it. The vulnerability was not even known to Adobe. This was a pure example of a zero day vulnerability, a critical vulnerability for which no patch exists. By exploiting this vulnerability, the cyber criminals were able to use Adobe Flash to install their Trojan horse.
Lessons for Management:
Lesson 1: Create a culture of security.
Ensure your people are trained and educated in cyber security. They need to know that they are under cyber attack. They need to become naturally suspicious of unexpected emails. They need to recognize the cyber criminal danger signals, refraining from opening attachments that may be booby-trapped or clicking on potentially booby-trapped hyperlinks. Cyber criminals use publicly available information to try to convince targets that their emails are legitimate, relying on human gullibility to gain access. A simple and avoidable mistake, as demonstrated in RSA’s case, can be costly and embarrassing.
This basic rule of effective cyber security management is simple: Don’t be a victim of your own curiosity. Don’t open an email attachment or click on a hyperlink in an email unless you have independent confirmation from the sender that the email is legitimate.Period.
Lesson 2: Replace anti-virus software with security solutions specifically designed to block zero-day attacks
Another inconvenient truth is that anti-virus software often fails to block zero-day attacks and the Trojan horses they deliver. The antivirus detection rate for ZeuS—a well known Trojan horse used to commit online bank fraud—is below 40%. This means that at any given time 60% of ZeuS variants will get past a company’s anti-virus software. Lesson 2 is that it is time to retire your basic anti-virus software, replacing it with a behaviorally-based solution that can detect and prevent zero-days and other malware from running on workstations.
Lesson 3: It’s not enough to try to prevent attacks. You must also be able to detect them and limit their damage.
Even as we bemoan the fact that RSA was breached, we can’t ignore the critical fact that RSA discovered the breach and took action to limit its damage. Compare this with the recent Stuxnet attack on Iran’s nuclear processing facilities; by the time Iranian authorities discovered the Stuxnet attack, the damage had been done. (See our blog post on Stuxnet.)
It’s a military security truism that—if the enemy discovers that you are planning to attack at dawn—it makes an enormous difference whether or not you know that the enemy knows. If you don’t know the enemy knows, you walk into a trap. If you know the enemy knows, you can change your plans.
HIPAA, the Payment Card Industry’s Data Security Standard, Gramm Leach Bliley, FTC security rules, ISO 27002 — all of these impose an audit and monitoring standard sufficient to detect and respond to a cyber attack. This makes having a robust Incident Response Plan a vital component of effective cyber security management.
ISSA of Los Angeles Holding Third Annual Information Security Summit on Protecting Businesses from Cyber Attacks
FOR IMMEDIATE RELEASE
Jim Goyjer: (310) 207-3361
Email: jim.goyjer@carlterzianpr.com
Information and Registration: www.issa-la.org .
ISSA of Los Angeles Holding Third Annual Information Security Summit on Protecting Businesses from Cyber Attacks
Los Angeles – March 25, 2011 — The Los Angeles Chapter of the Information Systems Security Association (ISSA-LA) is holding its third annual Information Security Summit. The theme of this year’s Summit is The Growing Cyber Threat: Protect Your Business. The Summit will be held Wednesday, June 15, 2011 at 7:30 AM on the UCLA Campus and will be hosted by UCLA Extension.
“There has been an explosive growth in cybercrime in the two years since our first Summit, including the brazen theft of millions from corporate bank accounts,” says ISSA-LA President Stan Stahl, Ph.D. “Yesterday’s defenses don’t work against the worst of today’s cyber-attacks. The Summit is the perfect place for our community to come together and learn what they must do to stay ahead of the cybercriminals. Those attending will learn how to meet the latest cyber challenges from industry leaders and get to talk to more than 25 information security vendors.”
“We’re excited by the quality of speakers participating in this year’s Summit,” Dr. Stahl announced. “They include some of our most popular speakers, information security thought leaders like Steve Lipner of Microsoft, Gene Schultz of Emagined Security, Marc Maiffret of eEye Digital Security and Jeremiah Grossman of White Hat. We’re particularly excited to have Carl Terzian as a special keynote speaker.”
The Summit is the only educational forum in Los Angeles specifically designed to encourage participation and interaction among all three vital information security constituencies: (1) business executives, senior business managers, and their trusted advisors; (2) technical IT personnel with responsibility for information systems and the data they contain; and (3) information security practitioners with responsibility for ensuring the security of sensitive information.
Registration is open to anyone interested in learning more about information security but is particularly recommended for business executives and senior managers; business professionals in law, accounting, insurance and banking; technical IT personnel; and information security practitioners.
The Information Security Summit is part of ISSA-LA’s important community outreach program. The goal of the program is to help our community stay safe from cybercrime by enabling the necessary collaboration between business and community leaders, technical IT professionals and the information security community.
- ###-
About Information Systems Security Association (ISSA)
The Information Systems Security Association is a not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications and peer interaction opportunities that enhance the knowledge, skill and professional growth of its members. The primary goal of ISSA is to promote management practices that will ensure availability, integrity and confidentiality of information resources. For more information or to register, please visit: www.issa-la.org .
About Stan Stahl, Ph.D.
Dr. Stahl is the founder and president of Citadel Information Group, Inc., an information security management firm. He is a pioneer in the field of information security, entering the field in 1980. He began his career securing teleconferencing at the White House, databases inside Cheyenne Mountain and the communications network controlling our nuclear weapons arsenal. Dr. Stahl earned his Ph.D. in mathematics from The University of Michigan and spent nearly 15 years teaching university mathematics. Once an active researcher, Dr. Stahl has published more than a dozen papers in advanced mathematics and computer science. He has taught courses in information security, software engineering, project management and computer programming at several universities and colleges. He recently served on the faculty at the University of Southern California in the School of Engineering’s Information Technology Program. For More information, visit www.citadel-information.com .
It’s Still “The Wild West” for Mobile Web Security
A recent New York Times article paints the picture well. The rise of smartphones and web connected electronics poses a new set of security challenges. Many of these devices lack the basic protections found on most personal computers, and new technology is outpacing security standards.
As eCommerce activities migrate to these mobile devices, we can expect cyber criminals to find creative new ways to steal your money and your information. In many respects, this is uncharted territory. Citadel encourages you to stay mindful and cautious in adopting mobile web technology. While we buy music and books from our iPhones, we continue to recommend readers NOT use their smart phones for online banking.
Changing Culture Improves Organization’s Data Privacy and Information Security Program
From a recent report by the renowned Poneman Institute: there is a “strong correlation between an organization’s level of respect for an individual’s personal data and the likelihood that the organization will suffer a data breach. By establishing an environment within an organization that encourages employees to see data as an extension of the customer and not merely something owned by the company, thereby fostering the development of a “culture of caring,” data privacy and information security programs become more effective.”
Download our paper “Beyond Awareness Training: It’s Time to Change the Culture” from our web site …