While most companies have managed to make their IT systems secure, some loopholes can let these systems down. These are human beings. IT systems may be secure enough, but a person can be tricked easily into releasing their credentials or allowing an attacker to access the systems. This was the case at RSA, a big security firm. After staying silent about the issue for some time, the organization then released information on the nature of the attack detailing that the attackers used a three-stage attack process. The attackers sent phishing emails to several employees. The emails had an attachment that when opened would install a zero-day exploit on the systems. As the employees received the emails, one of them was curious enough to open the attachment that was titled 2011 Recruitment Plan, which was tempting enough (Zetter, 2011). The malware was then deposited on the computer allowing the hackers to control it remotely and to steal passwords that allowed them to steal a lot of data from an employee who had access to sensitive data. This attack happened because the employees were either not attentive to information or had not received adequate training on the same putting the entire organization at risk (Richmond, 2011). While such emails can be tempting to open, when an employee receives adequate information about phishing, they should be suspicious and wary of opening anything sent from unknown persons. This should have been the case especially for a huge company like RSA. While zero-day exploits will continue to exist as long as IT does, securing systems means nothing if those operating them do not play their part in securing data. To prevent such an attack, adequate and rigorous training is mandatory.
- Richmond, R. (2011). The RSA Hack: How They Did It. Retrieved from https://bits.blogs.nytimes.com/2011/04/02/the-rsa-hack-how-they-did-it/
- Zetter, K. (2011). Researchers Uncover RSA Phishing Attack, Hiding in Plain Sight. Retrieved from https://www.wired.com/2011/08/how-rsa-got-hacked/