RSA Postmortem: 5 months later

Great post from F-Secure Labs on how one dedicated employee, Timo Hirvonen, found the actual attack e-mail and 0-day exploit payload used in compromising RSA (the security division of EMC) back in March, 2011.

While the attack vector (phishing) was not advanced, the exploit code was. As the F-Secure article points out, RSA could not have defended against this brand new threat via antivirus or other network/system defense. However, proper training of employees on opening suspicious attachments could have prevented the whole thing.

My favorite detail in the post is that an RSA employee uploaded the e-mail to VirusTotal. This is speculation, but I can imagine the additional virus scanning occurred immediately after opening the file and seeing the actions (see video on F-Secure post). I can further imagine the "oh, crap" reaction of the person who watched, on their screen, as one of the leading security product providers got owned.

Building an organizational culture of security and privacy can go a very long way. Training and awareness is a critical complement to any enterprise defense strategy. You can deploy millions of dollars worth of defense systems and still be compromised by the actions of a dedicated and resourceful adversary and the actions of one, untrained, employee.

A closing note: In the beginning of August the RSA breach was revealed, through an EMC earnings calling, to have cost $66 million to investigate, mitigate, and help customers.