Most of us will recall that on March 17 2011,  RSA Security admitted that cyber-attackers had breached its network and obtained “information relating to the SecurID technology.” SecurID generates security tokens by requiring users to enter a secret code number displayed on a keyfob, or in software, in addition to their password (a process commonly known as two-factor authentication in access control systems).

Since that RSA announcement, several Department of Defense contractors or their subsidiaries have disclosed that their networks were targets of cyber-attacks apparently using information stolen from RSA.

Big players in the military industrial complex like Northrop Grumman Corp, Lockheed Martin, L-3 Communications pretty much have the military technology secrets of the United States. They provide command-and-control, communications, intelligence, surveillance and reconnaissance (C3ISR) technology to the Pentagon and intelligence agencies.

Since the RSA breach, they have all reported intrusion attacks that involved the use of information stolen from remote-access security tokens which according to RSA executive chairman Art Coviello, “could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”

That broader attack seem to be under way because on of the seemingly random but targeted attacks against contractors with ties to the nation’s defense systems:

• On May 21, it was reported that Lockheed Martin shut down remote access to its internal network after a “significant and tenacious attack on its information network”.
• On May 26, Northrop Grumman shut down remote access to its network without warning, forcing the company to go through a domain name and password reset across the entire organization.
• On May 27, an attack on L-3 Communications Holdings using spoofed pass codes from a cloned RSA SecurID token was reported by Reuters.

There are speculations that the RSA breach may have occurred through a remote device or VPN client or with the help of an insider since an attacker would need at least one employee’s user name and pass code as well as have some idea of which services that employee had access to in order to break into a SecurID-protected network.

Anush Gosh, a former scientist with the Defense Advanced Research Projects Agency (DARPA) argues that the RSA attack was very sophisticated, and was probably executed by people who had plans for what to do with the keys.

Wired goes further to opine that “the attacks suggest the RSA intruders obtained crucial information — possibly the encryption seeds for SecurID tokens — that they’re using in targeted intelligence-gathering missions against sensitive U.S. targets”.

Even RSA characterized the breach as an “advanced persistent threat,” or APT – an unusually sophisticated attack in which intruders use social engineering coupled with undisclosed or so-called zero-day vulnerabilities to infiltrate a target network at a weak point, and then spread out carefully to steal source code and other intellectual property.

Now that those plans seem to be in full motion, the big question is, is it time for RSA to break its silence on the matter and tell the American public what actually happened. It may not be pretty, but at least we will know what is coming. After all, most IT security folks have a thing or two against security by obscurity.

Shameless Plug:

If you own a small business in the Austin area and have less than 20 employees, see how you can secure your network and data without upfront or out-of-pocket cost here.

HBGary, RSA, Comodo and Barracuda Networks are the latest of high-profile security vendors to be breached. As a quick refresher, EMC’s RSA group disclosed that someone had broken into its networks and obtained information that could compromise its SecurID products.

Comodo, a security vendor that provides SSL certificates to providers of online shopping services announced that it had unknowingly issued bogus SSL certificates for a number of web sites, including sites owned by Microsoft, Google, Yahoo, Skype and Mozilla. Apparently, one of Comodo’s partners, GlobalTrust forgot the meaning of “global” and “trust” by not taking precautions against attacks and data destruction.

HBGary got itself into a knot with some questionable behavior after a data leak (the company was broken into, and tens of thousands of the company’s e-mail messages were posted online).

Most recently, Barracuda Networks, virtually a house-hold name in enterprise security got itself into an embarrassing situation when one of its servers was hacked and sensitive data concerning the company’s partners and the credentials of employees authorized to log in to the company’s content management system were exposed.

Here’s Barracuda’s explanation of what happened:

In case you haven’t heard, Barracuda Networks was the latest victim of a SQL injection attack on our corporate Web site that compromised lead and partner contact information.

…The attack started [on a] Saturday night and was launched at a time when the Barracuda Web Application Firewall that was supposed to protect the site had been taken offline for maintenance. After a couple of hours of probing, the hacker found an SQL injection flaw — a common Web programming error — on a script used to display write-ups of customer case studies. That one mistake got him into a database that the company used for its marketing program and sales lead development.

Could it be argued that the common thread in all these cases centers around arrogance and/or complacency? Arrogance because the vendors thought they were too good to spend time taking care of the small things – regular audits, least privilege, data segregation etc. Complacency because they spend most of their time and effort telling us how to be secure and probably believed it without doing the necessary work.

That mentality flows down to the rest of us when we hear the names of these industry giants. I mean RSA has a cryptographic algorithm named after them for crying out loud. And Barracuda? The company was doing web and email security before it became mainstream.

Apparently, these companies were as confident of their security as most of us were. But they got hacked and the painful part of it is that some of the causes of the hacks were mistakes you would expect “ordinary” companies or users to make. How often have we heard these vendors bombard us with “Defence-In_Depth”, “Keep your sensitive data separate”, “Do not expose your sensitive servers to the internet” etc.? Yet, a look at the root causes of the breaches surrounds those same issues – almost a case of “Do as I say, not as I do?

Lessons learned?

1. Even a “Bastille” for data security can be breached with enough time and patience.
2. It pays to have a solid set of policies, standards, guidelines and procedures that are constantly updated to reflect changing times. More important, make sure your employees know and understand what to do when an incident occurs. It is not just enough to say, “they should know what to do”. After all, it could easily be argued that no one told the Barracuda maintenance folks about the dangers of placing a firewall in passive monitoring mode through a maintenance window.

Barracuda sums up additional lessons very well in its frank admission of the screw-up:

• You can’t leave a Web site exposed nowadays for even a day (or less).
• Code vulnerabilities can happen in places far away from the data you’re trying to protect.
• You can’t be complacent about coding practices, operations or even the lack of private data on your site – even when you have WAF (Web Application Firewall) technology deployed.

Happy computing and be careful out there folks.

These are the key findings of the study:

• The average value of a lost or stolen laptop is about $49,246 when you factor in the replacement cost, detection, forensics, data breach, lost intellectual property costs, lost productivity, legal and regulatory expenses etc.
• The potential for a data breach occurring makes a lost or stolen laptop costly to the affected company to the tune of about 80 percent.
• Intellectual property loss is the second highest cost component – about 59 percent of the total cost.
• The faster the affected company learns of the loss, the lower the average cost – about $8,950 if the discovery is made the same day of the loss and about $115,849 if it takes more than a week to discover that the laptop was lost or stolen.
• Lost productivity represents about 1 percent of the total cost when employees have downtime due to the loss of the laptop.
• The most senior level personnel do not experience the highest average cost. The average cost of a lost laptop for a senior executive is $28,449 and the highest average cost for  a manager is $60,781 while a director experiences an average cost of about $61,040.
• The average cost of a lost laptop with a full backup is $69,899 and $39,253 when there is no backup.  The argument is that this inverse relationship is because the existence of a backup makes it easier to confirm the loss of sensitive or confidential data.
• There is almost a $20,000 difference between a lost laptop with encryption and one without.
• The services industry has the highest average full cost – about $112,853, followed by the financial services industry – about $71,820, healthcare ($67,873) and pharmaceuticals ($50,393).
• The industries with the lowest average cost per lost laptop are retail ($8,756) consumer products ($2,194) and manufacturing ($2,184).
• The services industry has the highest average data breach cost at $108,699 while the financial services industry has an average data breach cost of $68,862), healthcare ($43,547) and pharmaceuticals ($42,027). Government, retail and manufacturing had the lowest average data breach cost at $12,017, $3,620 and $44 respectively.
• In terms of intellectual property loss, the technology industry had the highest average cost of $18,205 followed by healthcare ($17,999) and communications ($17,818).

The Privacy Rights Clearinghouse estimates that since 2005, about 263 million records have been breached. If we take the average recovery cost of $202 per record as estimated by the Ponemon Institute, that means organizations in the United States have lost a whopping $53 Billion in five years thus making misplaced or stolen laptops one of the costliest exposures most companies face.