On the other hand, a good example of mitigation and containment through fast response time is the March 2011 exfiltration of RSA SecurID code. The attack had only been in the network for days when EMC's security team discovered the compromise and took action.
The attack started with reconnaissance and information gathering that led to a targeted spear phishing attack on an RSA-EMC employee who thought that, when he clicked a link, he was responding to a legitimate business partner.
RSA never directly attributed the attack to anyone in particular, but publicly stated that the attack had all the signs of a nation-state incursion. Its disclosure led many organizations to implement compensating controls recommended by RSA and replace existing tokens with new SecurID tokens.
“RSA is fortunate to have a good EMC [its parent company] Critical Incident Response Center,” says Eddie Schwartz (left), who took the role of RSA's CISO shortly after the breach announcement. “So RSA was able to catch the event quickly and move with an aggressive program to replace tokens where needed.”
Threats that affect more than one company can also lead to systemic improvements in entire vertical industries, such as what happened with Stuxnet. When the worm broke out of its bounds and spread from Iranian facilities to Indonesia, India, the United States and beyond, control system operators the world over began taking a close look at their networks, says Doug Powell, manager of security privacy and safety at BC Hydro in Canada, and chair of the critical infrastructure working group at ASIS, an organization for security professionals.
“We were all concerned about the unintended damage Stuxnet would cause once it propagated outside of the Iranian nuclear environment with respect to its targeting Siemens controllers,” he says. “So control system operators started checking their systems to see if they could be impacted.”
As a result of Stuxnet, vulnerabilities are being patched, awareness is being raised, and holistic changes are being made at infrastructure operators around the globe. For example, while BP Hydro had no such systems in place, they still used the experience to raise awareness, plug vulnerabilities, improve authentication and implement better management of its control systems.