Questions the CEO should be asking IT staff about the RSA hack
- 14 June, 2011 12:05
Companies who have unanswered questions and concerns about the RSA token hack should be talking to the IT department as soon as possible, according to a rival security vendor.
Westpac and ANZ announced this week that they had begun a replacement program of tokens for customers and staff, with ANZ revealing that it had decided to reissue 50,000 tokens to customers and corporate clients.
2nd Phase founder, Campbell Bradford, whose company distributes a rival token-less security product, approached Computerworld Australia with questions he says chief executive officers should be asking IT security staff about RSA. He also expressed concern that Australian companies would be waiting a long time for replacement tokens. "Customers have invested in one of the most expensive systems on the market for zero security — and now the customers are going to have to shell out more expense recalling and redistributing tokens," he said
"The organisation spent money on a security product to do a job and it is now not doing that job so why spend any more money [redistributing new tokens] on a product that is potentially putting the organisation at risk? There is simply not any evidence of a sound business argument in favour of more operational expense being spent on this product."
According to Bradford, RSA customers should also be concerned about the long term viability of the company due to the high costs of replacing all the hacked tokens.
RSA has not said how much the cyber attacks have cost, but even before the SecureID replacement program, it was expensive. For its most recent financial quarter, ended March 31, EMC said the RSA group's gross margins dropped from 67.6 percent to 54.1 percent, year-over-year. EMC blamed this downturn on the attack.
"Will EMC just write off their 'investment' after they realise they paid too much for RSA in the first place and it is now tainting the EMC name?" Bradford said.
The questions CEOs should be asking security staff, according to Bradford, are:
1. When did you find out about the RSA hack? It was first reported in 18 March 2011. "If the IT Security people knew about it back in March what have they done about it since? With the total lack of information from RSA then surely you have to assume the worst and assume SecurID had been compromised," he said.
2. What risk analysis has been carried out since? If none why not?
3. Who did the risk analysis? Someone qualified and who knows authentication inside and out?
4. How much is distributing new tokens going to cost the organisation?
5. How are new tokens going to reduce the risk? What if RSA’s formula for calculating a token seed record that is associated with each token’s serial number has been compromised? What good are new tokens going to be? Has RSA stated that new tokens will definitely fix the problem?
6. When will we receive the replacements? Six months? 12 months?
7. So the vendor has to increase production significantly due to the hack. How is this going to affect the quality of the tokens?
8. If it is going to cost RSA US$1 billion to replace tokens free to everyone then how are they going to survive in another year? Will they exist in 2013?
9. How much does it cost the organisation each year to have tokens?
10. Are there any alternative two factor authentication offerings that are lower cost and more convenient that would save the organisation operating expenses without compromising security?
11. Are you happy with the current two factor authentication offering or is it too much of an overhead?
12. Are you happy with the price the organisation pays for tokens? Maintenance? Staff to maintain the existing two factor system?
13. When was the last time the organisation surveyed the market for alternative solutions?
14. How much would swapping to a new system cost? If the cost of swapping is less than the cost of redistributing new tokens and the ongoing costs are a fraction of the existing token based system why wouldn’t the organisation swap?
RSA's parent company ,EMC Australia, was approached for a response by Computerworld Australia but declined to comment.
Got a security tip-off? Contact Hamish Barwick at hamish_barwick at idg.com.au
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow Computerworld Australia on Twitter: @ComputerworldAU
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- In Control at Layer 2: A Tectonic Shift in Network Security
- Agentless Security for Virtual Environments
- Unlock the value of virtualisation with the IBM SmartCloud Foundation
- Financial Security with Webroot and Virginia Community Bank
- Webroot slashes Royal Flying Doctor Service anti-virus scan time from 2 hours to 2 minutes
Why change management doesn’t work
Larry Page wants to see your medical records
Dual-Persona Smartphones Not a BYOD Panacea
After two-year hiatus, EFF accepts bitcoin donations again
CIOs struggle to deliver timely mobile business apps: survey
Managing the Rapid Rise in Database Growth: 2011 IOUG Survey on Database Manageability
As the era of “Big Data” marches on unabated, data is coming from an ever wider range of sources, including transactional systems, mobile devices, sensors, streaming media, and social networks. Businesses are looking for innovative ways to better leverage terabytes—and for some, petabytes—of information. Read more.
Leading Through Connections – Insights from the Global Chief Executive Officer Study
IBM’s 2012 Global CEO study follows face-to-face discussions with more than 1,700 CEOs and senior public sector leaders from around the globe. The findings examine how CEOs are responding to the complexity of increasingly interconnected organisations, markets, societies and governments. For example, almost one-quarter of CEOs say their organisations operate below par in terms of driving value from data. CEOs have expressed frustration about their inability to capitalise on available information. This is because: “The time available to capture, interpret and act on information is getting shorter and shorter.” CEO, Chemicals and Petroleum, United States Given the need for deeper business insight, the best performing organisations are more adept at converting complex data into insights, and insights into action. Download Entire Report Now.
Tolly Report: Performance Survey of Virtual Environment Security
This report by Tolly tests the system resource requirements of competing vendor solutions when performing on-demand and on-access scanning functions, during distributed definition updates. Click to download how the four competing options ranked against each other.