Following up on my recent posting about the Epsilon breach, we see that the investigation of that incident is still ongoing; no further official information has been released about the attack method or its level of sophistication.
Although, there has been some unofficial speculation that in this case, like with the RSA attack, attackers targeted specific individuals with customized emails, the so-called “spear phishing” approach. Time will tell; I am sure that we’ll learn a lot more over the next few weeks.
Speaking of the RSA breach, there’s a fascinating blog entry from RSA’s Uri Rivner here, which describes how that attack was carried out. Kudos to the folks at RSA for talking about this publicly, and achieving the right balance between openness and necessary secrecy.
The upshot of this attack was that it was specifically targeted at individuals within RSA, and while the payload was sophisticated enough to make use of a zero-day Flash exploit, the entry point was an old-fashioned email, with just enough context to convince a user to open the infected file.
Once the user’s computer was infected, the attackers then used remote monitoring and remote control of this desktop system, and parlayed this to obtain access to server and network resources. While I don’t know the details about this part of the attack, it’s clear that it did leverage the compromised user account’s access to additional IT resources, which was their intended target.
That is, the attackers didn’t care about the local resources on the compromised computer, but cared very much about what data and systems this user’s accounts had access to.
This is one aspect of IT security that organisations improve with an access governance solution – ensuring that people only have appropriate access to systems, and the rights to perform appropriate actions within those systems, based on their role in the organisation.
Now, I don’t know the details of the RSA incident beyond what has been publicly disclosed, so I can’t say whether, in this case, inappropriate user access rights was a factor in enabling this attack to success. But I do know that customers and prospects take their security responsibilities seriously, and that gaining visibility and control of user access is increasingly important to them, driven both by security and compliance needs.