RSA is a division of EMC Corporation that offers security products to businesses and government agencies. RSA’s flagship product is SecurID, a combination of two-factor authentication tokens (hardware and software) and the associated server software used in their implementation. This product aims to deliver secure remote access, including access to critical infrastructure. In 2009, it was estimated RSA had “about 40 million tokens and 250 million mobile software versions deployed in over 25,000 organizations”, including banks, government, manufacturing, and pharmaceutical companies (Rashid, 2011). In this paper we will examine the 2011 breach of RSA involving the SecurID product, the incident response and recovery, mitigation strategies, and discuss the ramifications of such private sector breaches on overall incident management and response.
RSA discovered the attack while it was still in progress (Gov InfoSecurity, 2011). Once discovered, RSA’s Computer Incident Response Team began to monitor the attackers to determine the extent of the breach, discovering that data pertaining to their SecurID tokens had been exfiltrated (Rivner, 2011). RSA executive chairman Art Coviello describes the discovery by stating, “We were disappointed when we realized they'd exfiltrated information related to SecurID, and then we totally went into customer-focus mode. [We asked] how are we going to communicate this to customers, how are we going to make sure that we mitigate any potential risk, what exactly is the risk” (Espiner, 2011). RSA began to harden their IT infrastructure to mitigate any further damage. However, there appears to be no public data on what specific hardening steps were taken by RSA.
RSA publicly announced that they had been breached and began working with authorities. The Department of Homeland Security (DHS) was involved both during and after the attack (Bank Info Security, 2011). Through a coordinated effort, RSA worked with law enforcement, the intelligence community, and other commercial entities.
RSA’s actions stand in contrast to many corporations that do not acknowledge breaches of sensitive information systems for fear of alarming shareholders and exposing the corporation to lawsuits (Gross, 2011). Even when evidence points to nation-state involvement (most often China), many companies still refuse to acknowledge breaches. The “fear of offending the Chinese and jeopardizing their share of that country’s exploding markets” is reason enough to remain quiet (Gross). Despite mounting evidence, the “U.S. government, for its part, has been fecklessly circumspect in calling out the Chinese” (Gross).
Recovery after the breach at RSA was not limited to the RSA environment. Due to the widespread implementation of RSA tokens across industry and government agencies (and its contractors) the breach had far-reaching implications across multiple sectors.
In an attempt to mitigate potential attacks on its...