Search This Blog

Thursday, April 7, 2011

RSA & Epsilon could use this hardware security




Recently two companies, EMC via RSA who makes hardware two factor authentication tokens (used to be the defacto standard) and Epsilon a huge email marketing firm have lost data from a database that should have been better protected. Better yet, never this obtainable.

Breaches occur all the time and usually because extremely valuable and or confidential data is stored in some database or file that contains info you just can't and should not lose. Why do they lose it? Well, they don't think through how to protect it with existing technology and they don't segment the 'keys to the castle' as we say allowing typical user systems to access networks and systems they should not even see, let alone have the ability to interact with.

Why? Because if I can see everything on a flat network, a user clicking on something they should not have, in the RSA case an Excel spreadsheet with a flash exploit inside the spreadsheet infected a system that spread malware that allowed the bad guys to see, touch and exploit the RSA database of super secret sauce.

This system or system(s) should. Have been completely isolated with only a jump server or highly restricted access control lists with serious authentication to obtain any kind of access. This was not in place.

If these companies, and many others had used something like the Yubico Hardware Security Module (HSM) that locked the keys and data in such way that stealing the data would have been worthless, they would have been protected. Yubico has taken what used to cost $15k entry point for HSM down to $500!!! Yup $500 dollars for a USB device that uses diode noise to calculate a truly random key that you could never crack unless you steal the USB device, that hopefully is physically secure in a data center. If the key or USB key is somehow stolen by some dumb luck or dumb employee, the application would fail and you would know immediately.

So if companies don't wake up and start using real isolation, segmentation and HSM to protect truly valuable and reputation related data, then they deserve the stock price hit, the firing of people and the lack of trust we now all have of these companies that REALLY should know better and know how to secure data of this magnitude.

Yubico website

#InfoSec #Yubico #RSA #Epsilon #Breach