The RSA SecurID Hack: A Lesson on Protecting Your Most Critical Assets

Tom Badders
May 25, 2021 • 4 min read

WIRED magazine
recently published a deep dive into the 2011 security breach that cost EMC, the parent company of RSA, $66.3 million – costs to investigate the breach, shore up its IT systems and monitor transactions of the more than 30,000 customers of its SecurID two-factor authentication token.

Ten years later, the RSA hack is still considered to be among the worst cybersecurity breaches to date. It started with phishing emails to two employees which contained malware. When the email was opened, the malware exploited a zero-day vulnerability in Adobe Flash to install software called Poison Ivy on the victim’s machine to gain access to RSA’s networks. Exploiting stolen login credentials, the attackers broke into RSA’s network and searched until they found hundreds of credentials belonging to more privileged administrators, which gave the intruders nearly unlimited access to enterprise resources.

The breach was a nightmare happening in real time. According to Bill Duane, a veteran RSA engineer, the attackers fanned out across the network; they would attempt to break into a connected system, get detected a minute or two later, and an IT team would go in after them and disable the system. The intruders would then move onto the next system and the game of cat and mouse continued.

The keys to the kingdom – the SecurID seeds

During the frenzied chase, the IT team identified the attacker’s real target – the SecurID seeds – the crown jewel of RSA’s two-factor authentication system. The seeds that RSA distributed to their customers that enabled them to set up servers and generate the matching authentication codes used by the SecurID tokens. By stealing the seeds, the cybercriminals now had the keys to millions of locked doors on the internet. They could generate the authentication codes without the physical tokens. In order to stem the data leak and salvage the business, all of RSA’s systems were shut down.

Organizations today have in their toolkit a plethora of network security tools that can be used to protect the edge of the network and endpoints. From anonymous VPNs and firewalls to intrusion detection systems and WAFs, all are designed to keep out attackers. Most organizations have implemented least-privileged access to help reduce the overall attack surface area. And Zero Trust security approaches take this concept one step further with the belief that no one is to be trusted. Access is cut off until the network is able to verify who you are and whether you are authorized to be on the network and to access its resources.

But – what about protecting your most sensitive data? How confident are you that your enterprise network security is sufficient to protect mission-critical assets whose compromise could result in an “extinction event,” as one of the RSA threat hunters described their own breach?

“Every network is dirty”: Protecting your critical assets with a virtual obfuscation network.

In the decade since, the brutal RSA breach has remained a wake-up call for cybersecurity professionals – “every network is dirty,” as the Wired article puts it, and attackers can get in when they really want to. In which case, how can organizations protect their most critical assets when cybercriminals breach their networks?

According to Duane, the RSA engineer, every organization needs to “cordon off” their most critical assets from the rest of the network so they remain inaccessible even if there is a breach. For RSA, what needed “cordoning off” was their SecurID seed server. For a healthcare provider, it could be their e-healthcare record repository.  For a bank, it could be their financial transactions. For an energy firm, it could be data from their SCADA network – or the network itself. 

That’s where a virtual obfuscation network comes into play. The organization’s critical assets can reside on a hidden server that is only accessible through the virtual obfuscation network, which itself is hidden from unauthorized users. Network obfuscation uses a combination of technologies that include multi-layered encryption, dynamic IP routing, varying network pathways, and eliminating source and destination IP addresses to eliminate the presence of a user, asset, or resource on the internet. Because after all, you can’t exploit what you can’t see.

To learn more about how the Telos Ghost virtual obfuscation network can help to protect your critical assets, visit:

Tom Badders
Senior Product Manager
Tom Badders is a Senior Product Manager at Telos Corporation.
Read full bio

Subscribe to Our Newsletter

Although we may use your information for targeted marketing and advertising, as described in the Privacy Policy, we will never sell your information to any third party.