EMC Admits Breach at Security Division, Urges Stepped Up Vigilance

The head of corporate computing giant EMC Corp., admitted Thursday that its business security division RSA become a victim of and advanced cyber attack, although it doesn't expect this to affect in a big way financially.

Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA, said Art Coviellos, Executive Chairman of EMC in an open letter.

EMC's security division RSA has identified an extremely sophisticated cyber attack, he said.

EMC does not believe that the matter described in the letter and note will have a material impact on its financial results, the company said a filing with the Securities and Exchange Commission.

Coviello said measures instituted to protect the RSA and its customers included hardening our IT infrastructure. The company has begun an investigation and is working with authorities, he said.

The attack type is known as an Advanced Persistent Threat(APT), Coviello said.

APT threats are becoming a significant challenge for all large corporations, and it's a topic I have discussed publicly many times, Coviello said.

Describing the Threat

The attackers are persistent and if an organization lets is guard down for any period of time, the chance of compromise is very high, McAfee Chief Technical Officer Eric Cole said in a company blog post last year.

APT's goal is to look as close - if not identical - to legitimate traffic. The difference is so minor that many security devices cannot differentiate between them, he said.

Anything that has value to an organization means it will have value to an attacker, he said. Attackers do not just want to get in and leave, they want long term access.

Stealing data once has value, but stealing data for nine months gives the attacker even more payoff, he added.

The Attack on RSA

Certain information was extracted from RSA's systems, including some related to the company's SecurID two-factor authentication products, Coviello said.

That information would not allow a successful direct attack on its RSA SecurID customers, he said. He said however, that the information could potentially be used to reduce the effectiveness of the product's implementation as part of a broader attack.

Customers were informed of the breach and were being provided ways to strengthen the product's implementation, he said.

He said the company knew of no evidence that personally identifiable information for customers or employees were compromised.

Customer Tips

The company issued the following general recommendations.

- Increase focus on security for social media applications and use of the applications and websites by anyone with access to critical networks

- Enforce strong password and pin policies

- Provide people with only the security access they need - the rule of least privilege principle

- Avoid suspicious e-mails and not providing user names or credentials to others without verifying their identity and authority

- Avoid complying with e-mail and phone-based requests for credentials

- Pay attention to security on active directories, making full use of their Security Information and Event management (SIEM) products and also implement two-factor authentication to control access to active directories

- Observe changes in user privilege levels and access rights using SIEM technologies, and add more manual approvals for those changes

- Closely monitor and limit remote and physical access to infrastructure hosting security software

- Examine help desk practices for information leaks that could help an attacker perform a social engineering attack

- Recommend upgrades of security products and operating systems hosting them with the latest patches