RSA’s release of additional information about their security breach (impacting their SecurID multi-factor authentication system) highlights important elements of an information security program. These elements are particularly important in a healthcare IT environment. To understand why, lets first review a rough outline of some widely reported details of the RSA attack:
- Step 1: Attacker sends email to some RSA employees with an attachment entitled ‘2011 Recruitment Plan’
- Step 2: Some uninformed-but-probably-not-malintentioned RSA employee downloads attachment, which includes an Adobe Flash zero-day exploit
- Step 3-n: the attackers apparently leverages this initial compromise of an existing employee system to escalate privileges eventually gaining access to core elements of the SecurID system
This was described by RSA as an “advanced persistant threat” but that is probably just an attempt to gain sympathy by implying that the attackers were really smart, focused and determined. Really, this looks like a pretty standard attack sequence. The most intriguing thing about this attack is that RSA would be vulnerable to a situation in which a single employee mistake in step 1, above, would be leveraged into a full network compromise. Its astounding actually.
I’ve got to hope that RSA’s core SecurID technology is highly secured in an isolated subnet of their corporate network. If that is the case, then the initial attack would require sending the phishing email to a small set of employees that are sitting on the right part of the network. If RSA can’t effectively train critical employees of the dangers of effective security behavior, then what is a healthcare organization to do.
At Redspin, we do a lot of social engineering audits in which use tests that simulate an employee’s understanding of an organization’s information security policy. For example, in the RSA breach, the attacker used a document entitled ‘2011 Recruitment Plan’. We use variations of this type of attack; we send out email to employees and then log the number of employees that fall for the scheme. Its not uncommon for 30% of the employees to violate policy and download such documents with enticing names such as “employee salary report” or “upcoming staff reduction plan”.
If RSA can’t succeed in securing a small and critical area of their network, what is a healthcare organization to do? In many health IT environments, ePHI is widely distributed, often with many users with different roles and responsibilities as well as in different, varied and often public facilities.
A key point is that employees are so often the weakest link in security – and training is a key element of that. At Redspin we perform HIPAA Risk Analysis and risk assessments for healthcare organizations. These are a very valuable way to identify health IT and PHI security risk. However, interestingly enough, in the case of the RSA breach, a small subset of the security assessment – social engineering, which is cheap, easy and effective, might have avoided this breach. Our social engineering page lists some additional interesting examples of telephone-based social engineering (where we call up and say “can I have your password please”). Furthermore, some organizations are even able to do this kind of testing in-house… and its very scalable – social engineering test results are big topics around the water cooler – even a little bit of testing can improve a big part of the organization.