After reading the public disclosure of RSA being compromised, my eyebrows were raised because of the sensitivity of applications under RSA's umbrella.
The wording from RSA is a bit puzzling:
"We have determined that a recent attack on RSA's systems has resulted in certain information being extracted from RSA's systems... does not enable a successful direct attack" on customers but could potentially compromise guarded networks in a "broader attack" in the future.
Seems to be "ye old cover your behind" type of statement. We don't know/understand what is going on...
Aside from their statements, security pros have to wonder about the security state as a whole, when the founders of "two factor" key fobs take a hit. From an external point of view, one would believe that in the event someone compromised a machine inside of RSA, their own security - two factor key fobs - would have prevented escalation between other machines.
Speaking from the attacker perspective, in order for me to "extract certain information," as an attacker I would have to know where it is being housed. In order to do so, I would have to either know exactly where this information is located beforehand, or fiddle around with their systems enough to know that I stumbled upon the jackpot.
Think about this as a security professional performing a "blackhat" test against RSA. So somehow I manage to get into one of their systems, so what? Where have I landed? I could use deductive reasoning and say something like: "development.db.rsa.com" looks promising, let me get in there.
Herein lies the problem:
1) If RSA was using two factor authentication, the likelihood of me getting on that machine is unlikely.
2) There is no guarantee I hit the jackpot, I am using deductive reasoning in "going for the gold."
3) How much time would/should/do I spend before I potentially trigger an alarm.
Outside of those obvious tidbits, as a security professional, I wonder how long were the attackers or attacker, inside of their network. In the case of my #2 (deductive reasoning), I would like to believe someone was asleep at the helm considering that I would think RSA would have some form of Data Loss Prevention in place or SIEM.
DLP may have prevented or at least alerted someone to an anomaly. This makes me believe that far too many companies are too smug in their security state of mind: "It won't happen to us, we're Company X" where the company is not taking security seriously.
Many times I have pointed it out and I will do so again: "Extrusion Prevention." [2] I fail to understand why many security engineers simply don't get it. There is nary an attack I can think of that cannot be detected and deterred. It is a matter of one's approach and view of attacks.
From the "herding instinct" [3] too many security engineers and pros have relied too much on the concept of building higher walls to keep out attackers. You cannot stop someone from knocking on your door period. You CAN always stop your employees from ANSWERING that door, especially when you know by now, there is no one at the other side and you are wasting your time and resources answering that door.
Furthermore, we have the following statement: "While the U.S. government has been aware of the attack and working with the company on plugging the security breach for more than a week" [4] Such a disgusting statement when we have to think that they have been fighting this for a week now. We would think that RSA has the equipment in place to drop their servers from connecting TO AN ATTACKER, yet we see "plugging the security breach for more than a week."
The statement makes me think of the following analogy: "A house has a hole on the side of the wall. The water is on and running out of the house. We're fighting to plug that hole. In the meantime, water keeps leaking out." Suggestion? Turn off the damn water while plugging the hole. Certainly you can stop that water from leaving. My impression is that people are scrambling in circles not knowing/understanding what to do.
So what have I learned from what was said about this breach? Security companies are likely too smug/set in their old ways. Security professionals don't understand what hackers do. RSA likely didn't use their own products.
There is a HIGH likelihood of insider help here; to think that an attacker walked in the front door and knew exactly where to go is preposterous. Maybe RSA and other companies can send their existing security staff to Real World Security Practitioner training [5] in order for them to see what hackers do in order to learn this and how to counter attackers in real-time.
[1] http://latimesblogs.latimes.com/technology/2011/03/emc-rsa-security-hacked.html
[2] http://en.wikipedia.org/wiki/Extrusion_detection
[3] http://en.wikipedia.org/wiki/Herd_behavior#Herd_behavior_in_human_societies
[4] http://abcnews.go.com/Blotter/dod-private-contractors-potentially-vulnerable-rsa-cyber-attack/story?id=13162204
[5] http://www.peaksec.com/training/real-world-security.html
