Plans Must be in Place to Recover Anytime the Trust Provider is Compromised
When a company prides itself in providing the most advanced and sophisticated network security solutions—and that company’s own network is hacked—brand insult is added to data injury. Not only must the company compensate customers for their losses, but the breach of information incurs an unquantified cost to its reputation. No one wants to call on the services of the firehouse that burned down, and customers will invariably ask how a company’s security solutions can protect them if they couldn’t protect the company itself.
In 2011 the world has witnessed several cases in which network security companies – RSA, Comodo and StartSSL—themselves fell victim to hacking at a severe cost to their reputation. With DigiNotar recently joining the ranks as a trusted third-party security organization successfully compromised by hackers, enterprises need to move past the shock and begin formulating their own compromise recovery and business continuity plans.
All enterprises need to look at their highest-value assets—servers and applications where sensitive and regulated data flows, and that are protected by certificates. Plans must be in place to recover anytime the trust provider is compromised. This article details how those breaches occurred and the lessons that the victims learned from them.
The RSA Breach
RSA, the Security Division of storage vendor EMC, forms a pillar of the security industry. It’s name is so synonymous with security that the RSA Conference, considered one of the premier security conferences, bears its name. And yet, in mid-March, RSA was hit by a breach that compromised the two-factor authentication product SecurID used by thousands of its customers.
RSA described the breach as an “advanced persistent threat” (APT), implying that a group with vast resources had targeted RSA over a long period of time. (However, some critics contend that RSA is saving face with a too liberal use of the term; security analyst Scott Crawford called the scheme “plain old phishing.”)
According to RSA, the attackers used “social engineering” tools to glean information on a group of RSA employees by searching social networking sites. The perpetrators fashioned “spear phishing e-mails” containing personal information that would entice the targets to open the messages. Clicking on the attached Excel file, “2011 Recruitment plan.xls,” unleashed a zero-day exploit that installed a backdoor in victims’ computers through an Adobe Flash vulnerability, since patched. Once in, the hacker was able to sniff around, seeking accounts with higher access privileges than the person originally duped. These privileged accounts allowed the attacker to extract the SecurID credentials from the network, RSA said.
While RSA Executive Chairman Art Coviello blogged that RSA does not believe the items exposed could be used to steal from a customer, “this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.” Presumably, hackers obtained information that allows them to calculate the passwords generated by a given SecurID product at a given time, thus removing one factor in the authentication, leaving the user’s password to stand on its own.
Sure enough, in late May, news outlets reported an attack on defense contractor Lockheed Martin’s network by hackers who reportedly used duplicate SecurID electronic keys pilfered in the RSA attack. Even though the attack failed, RSA has since offered to replace the SecurID tokens for any customer who wants them.
The Comodo Breach
Comodo also operates in the security space as, among other things, a Public Key Infrastructure (PKI) Certificate Authority (CA). As a CA, Comodo issues certificates to other entities, attesting that those entities truly represent who they claim to represent. For example, when a browser attempts to establish a Secure Socket Layer (SSL) connection to a Web site, the site presents its CA-signed certificates to authenticate itself as legitimate. If hackers can trick a CA into signing their fraudulent certificate requests, they can pose as Google, Yahoo or, worse, a bank. They can then freely download malware, for instance, to users’ computers or trick users into exposing their financial account credentials.
Comodo discovered in March that it had inadvertently granted certificates to an Iranian hacker who called himself “Comodo Hacker” in a blog post. Somewhat like RSA, Comodo has attempted to present the attack as a vast, state-sponsored affair. Comodo’s CEO and founder, Melih Abdulhayoglu, blogged that Comodo interpreted the breach as “‘state driven/funded’ attacks … from Iran.’”
However, Comodo Hacker challenged this interpretation. Although supportive of the Iranian regime, Comodo Hacker acted alone. He wrote, “I'm not a group. I'm [a] single hacker with [the] experience of 1,000 hackers. I'm [a] single programmer with [the] experience of 1,000 programmers.”
News reports stated that the digital certificates were obtained from an affiliate of Comodo by someone who used a valid username and password. Comodo acted quickly by revoking the fraudulent certificates through an update to popular browsers like Internet Explorer, Firefox and Chrome. Comodo further assured its customers that it had suspended the two affiliated businesses that were supposed to vet certificate applications.
But analysts note serious flaws in Comodo’s processes. That the requester had an Iranian IP address should have raised eyebrows, as well as the fact that the requests were for well-known sites such as Google, Yahoo, Mozilla and Skype. Some security experts contend that cleaning up the fraudulently obtained Comodo certificates only deals with the known attack; to combat unknown risks, someone should cross-check the work of all CAs – besides Comodo, the leading ones are VeriSign and GoDaddy — to catch mistakes like these.
The Lessons The biggest lesson learned is that virtually any company — security vendor or otherwise — is vulnerable, such is the insecure nature of the Internet. Comodo, DigiNotar and RSA showed the world that despite, for lack of a better description, “rock-solid security,” the inevitable can happen. Despite the irony of these successful attacks against two of the world’s preeminent security companies, these vendors found themselves as vulnerable as any to attacks that targeted employees and practices rather than specific technologies and security systems. Companies that haven’t yet suffered a breach, or who are unaware if they have, should be grateful that RSA, Comodo and now DigiNotar are now shining light on how to improve the situation.
For example, the Comodo and DigiNotar breaches illuminate the key role that humans play in all security efforts. As third-party trust providers, both certificate authorities learned the necessity of counteracting human error with well-documented policies and built in dual controls for issuing and managing certificates.
RSA’s breach followed a slightly different pattern, but the company learned a similar lesson in the importance of confronting security risks—not merely with new technologies—but with better practices. Uri Rivner, Head of New Technologies and Consumer Identity Protection at RSA, blogged that RSA is building a whole new “defense doctrine” to respond to the attacks.
Placing particular emphasis on the human element in the latest attacks, Rivner wrote: “It’s time to respond as an industry, define and execute a new defense doctrine based on information sharing, deep analytics and advanced threat management.”
Further, few organizations have a management platform in place that gives them the power to replace compromised certificates quickly. Otherwise, the replacement of known, compromised certificates is largely a manual effort. This forces organizations to continue operations in a compromised condition—possibly for many months—while the thousands of compromised certificates are manually replaced. In some cases that may not even be an option and entire systems may have to be shut down until remediated.
With hackers operating on the inside, attempting to extract data by leveraging legitimate users’ access, enterprises must respond with better processes for managing and auditing all means of access to critical data—whether user accounts or the asymmetric encryption keys that are used as credentials by applications and servers. Better access and audit controls will enable companies to contain breaches and to discover them more quickly. And by shoring up this element in defense—the neglect of which can cause embarrassing data breaches in the most security-technology-driven of companies—enterprises reduce the risk of becoming 2011’s next high-profile victim.