So the delightful Brian Krebs (I mean that, seriously) posted an article today on the other 760 victims of the RSA attackers. This is not an article about the second wave of victims who got owned because RSA SecurIDs are not so much… you know, secure; rather, it’s about all the other companies that got hit at the same time by the same people that breached RSA. Judging from what Mikko Hyponnen presented at SECTOR and the common C&C infrastructure that Krebs’ discusses, they probably all got nailed by the same exploit. The list, if you’re a little bored, is here (and by bored I mean the article is a good read but going through 760 names takes a certain amount of spare time you could do other stuff with).
I don’t know about you, but if I were on that list, I’d be a little embarrassed. I wonder how many people spent part of their day going through the list looking for any service providers or vendors that had connection to anyone they might care about. I also wonder how many infosec pros then reached out to those providers and asked them if they knew about the breach and whether the breach had any impact on their customers. I bet the answers to those questions were “wait? what? we’re listed where?” and “ummm…. we don’t know”.
Now, the reason I’d be embarrassed about being on this list is follows:
- Publicly owned is never good unless you are running a “hack this thing competition”;
- Publicly owned and your customers finding out about it from anyone other than you and your media spin doctors is even worse;
- Getting owned by an email trojan, circa 1999 Melissa, means a failure not only of your existing defences (spam filters and Anti-X among others) but also of your user security awareness training (you do remind your users not to click on stuff, right? Do you remind them more than once a year?).
- El-Al puts all luggage into a pressure chamber to simulate flight conditions in an attempt to trigger any bombs with altimeter triggers. Why can’t we do that to content before we let it in to our network. There are at least two working technologies out there that do the same already but for downloads and attachments. Microsoft built an entire farm of virtual machines, called HoneyMonkey, to find and safely trigger malware. You may not know you downloaded malware, but it’s a sure sign that you’ve got a problem when something starts phoning home.
- Watch your web filter or proxy logs – see lots of stuff going to funny domain names – that might be a sign of an automated breach extrusion. If you’re running a big enough network, maybe go get a list of known botnet C&C servers.
- Buy some cloud capacity and run your browsers and email clients in a sort of reverse DMZ using remote desktop or published Citrix apps. That way a breach is limited to a virtual machine which is not inside your core network next to all your deep dark secrets. It works for the military and governments, maybe air gapping isn’t that paranoid.
- Mandatory email encryption/signing with your business partners – at least that way you know email that came from them really came from them and can be trusted a bit more than the spoofed email that looks like it came from them. Anything not signed gets routed to some quarantine box (maybe the aforementioned reverse DMZ).
- Give everyone a chromebook – ok, a bit drastic but their fully sandboxed architecture for each application makes your malware infections job that much harder.
- Be absolutely belligerent about any detected infections – where there’s one, there’s probably two. Immediately delete infected files, burn infected systems to the ground – none of this wait and see attitude.
- Educate users every single month about malware and click on stuff that looks mildly suspicious. While once a month may seem excessive, users forget quickly so remind them often (to steal someone else’s line, I forget exactly who, think of it like user patching).
- Patch and harden, patch and harden.
(Image used under CC from GS1311)