Questions the CEO should be asking IT staff about the RSA hack
- 14 June, 2011 12:05
Companies who have unanswered questions and concerns about the RSA token hack should be talking to the IT department as soon as possible, according to a rival security vendor.
Westpac and ANZ announced this week that they had begun a replacement program of tokens for customers and staff, with ANZ revealing that it had decided to reissue 50,000 tokens to customers and corporate clients.
2nd Phase founder, Campbell Bradford, whose company distributes a rival token-less security product, approached Computerworld Australia with questions he says chief executive officers should be asking IT security staff about RSA. He also expressed concern that Australian companies would be waiting a long time for replacement tokens. "Customers have invested in one of the most expensive systems on the market for zero security — and now the customers are going to have to shell out more expense recalling and redistributing tokens," he said
"The organisation spent money on a security product to do a job and it is now not doing that job so why spend any more money [redistributing new tokens] on a product that is potentially putting the organisation at risk? There is simply not any evidence of a sound business argument in favour of more operational expense being spent on this product."
According to Bradford, RSA customers should also be concerned about the long term viability of the company due to the high costs of replacing all the hacked tokens.
RSA has not said how much the cyber attacks have cost, but even before the SecureID replacement program, it was expensive. For its most recent financial quarter, ended March 31, EMC said the RSA group's gross margins dropped from 67.6 percent to 54.1 percent, year-over-year. EMC blamed this downturn on the attack.
"Will EMC just write off their 'investment' after they realise they paid too much for RSA in the first place and it is now tainting the EMC name?" Bradford said.
The questions CEOs should be asking security staff, according to Bradford, are:
1. When did you find out about the RSA hack? It was first reported in 18 March 2011. "If the IT Security people knew about it back in March what have they done about it since? With the total lack of information from RSA then surely you have to assume the worst and assume SecurID had been compromised," he said.
2. What risk analysis has been carried out since? If none why not?
3. Who did the risk analysis? Someone qualified and who knows authentication inside and out?
4. How much is distributing new tokens going to cost the organisation?
5. How are new tokens going to reduce the risk? What if RSA’s formula for calculating a token seed record that is associated with each token’s serial number has been compromised? What good are new tokens going to be? Has RSA stated that new tokens will definitely fix the problem?
6. When will we receive the replacements? Six months? 12 months?
7. So the vendor has to increase production significantly due to the hack. How is this going to affect the quality of the tokens?
8. If it is going to cost RSA US$1 billion to replace tokens free to everyone then how are they going to survive in another year? Will they exist in 2013?
9. How much does it cost the organisation each year to have tokens?
10. Are there any alternative two factor authentication offerings that are lower cost and more convenient that would save the organisation operating expenses without compromising security?
11. Are you happy with the current two factor authentication offering or is it too much of an overhead?
12. Are you happy with the price the organisation pays for tokens? Maintenance? Staff to maintain the existing two factor system?
13. When was the last time the organisation surveyed the market for alternative solutions?
14. How much would swapping to a new system cost? If the cost of swapping is less than the cost of redistributing new tokens and the ongoing costs are a fraction of the existing token based system why wouldn’t the organisation swap?
RSA's parent company ,EMC Australia, was approached for a response by Computerworld Australia but declined to comment.
Got a security tip-off? Contact Hamish Barwick at hamish_barwick at idg.com.au
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow Computerworld Australia on Twitter: @ComputerworldAU
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- Alcatel-Lucent Enterprise Optimizing Cloud Infrastructure with Citrix CloudBridge
- St. Vincent’s Hospital - Finding Visibility, Flexibility and Control
- Choice and Control – Considerations for Developing Enterprise Cloud Strategies
- Quantifying the Value of Investments in HP ALM Solutions: Focus on Quality
- Note to CIOs: Get Your Head in the Cloud
The enlightened CIO’s guide to running projects
The enlightened CIO’s guide to running projects
Why IT projects really fail
Queensland government to provide 200 services online by 2015
Call Centers Suffer From Big Data Overload
Best Practices to Make BYOD Simple and Secure
As consumerisation continues to transform IT, organisations are moving quickly to design strategies to allow BYOD in the workplace. This paper provides IT executives with guidance to develop a complete BYOD strategy which gives people optimal freedom of choice while helping IT adapt to consumerisation - at the same time addressing requirements for security, simplicity and cost reduction. Find out how device ownership eases IT burdens in endpoint procurement and management. Click to download!
Case Study: The True Value of Conference Calling
In a study by the University of Bradford study, we look at the benefits of a strong telepresence and how organisations can become faster, more focused and environmentally responsible. Click to download!
Virtualisation and Cloud Computing: Optimised Power, Cooling and Management Maximises Benefits
IT virtualisation, the engine behind cloud computing, can have significant consequences on the data centre physical infrastructure. The particular effects of virtualisation are discussed and possible solutions or methods for dealing with them are offered. Download to learn more.