Questions the CEO should be asking IT staff about the RSA hack

Australian customers may be waiting "a long time" for replacement tokens, rival vendor argues

Companies who have unanswered questions and concerns about the RSA token hack should be talking to the IT department as soon as possible, according to a rival security vendor.

Westpac and ANZ announced this week that they had begun a replacement program of tokens for customers and staff, with ANZ revealing that it had decided to reissue 50,000 tokens to customers and corporate clients.

2nd Phase founder, Campbell Bradford, whose company distributes a rival token-less security product, approached Computerworld Australia with questions he says chief executive officers should be asking IT security staff about RSA. He also expressed concern that Australian companies would be waiting a long time for replacement tokens.

"Customers have invested in one of the most expensive systems on the market for zero security — and now the customers are going to have to shell out more expense recalling and redistributing tokens," he said

"The organisation spent money on a security product to do a job and it is now not doing that job so why spend any more money [redistributing new tokens] on a product that is potentially putting the organisation at risk? There is simply not any evidence of a sound business argument in favour of more operational expense being spent on this product."

According to Bradford, RSA customers should also be concerned about the long term viability of the company due to the high costs of replacing all the hacked tokens.

RSA has not said how much the cyber attacks have cost, but even before the SecureID replacement program, it was expensive. For its most recent financial quarter, ended March 31, EMC said the RSA group's gross margins dropped from 67.6 percent to 54.1 percent, year-over-year. EMC blamed this downturn on the attack.

"Will EMC just write off their 'investment' after they realise they paid too much for RSA in the first place and it is now tainting the EMC name?" Bradford said.

The questions CEOs should be asking security staff, according to Bradford, are:

1. When did you find out about the RSA hack? It was first reported in 18 March 2011. "If the IT Security people knew about it back in March what have they done about it since? With the total lack of information from RSA then surely you have to assume the worst and assume SecurID had been compromised," he said.

2. What risk analysis has been carried out since? If none why not?

3. Who did the risk analysis? Someone qualified and who knows authentication inside and out?

4. How much is distributing new tokens going to cost the organisation?

5. How are new tokens going to reduce the risk? What if RSA’s formula for calculating a token seed record that is associated with each token’s serial number has been compromised? What good are new tokens going to be? Has RSA stated that new tokens will definitely fix the problem?

6. When will we receive the replacements? Six months? 12 months?

7. So the vendor has to increase production significantly due to the hack. How is this going to affect the quality of the tokens?

8. If it is going to cost RSA US$1 billion to replace tokens free to everyone then how are they going to survive in another year? Will they exist in 2013?

9. How much does it cost the organisation each year to have tokens?

10. Are there any alternative two factor authentication offerings that are lower cost and more convenient that would save the organisation operating expenses without compromising security?

11. Are you happy with the current two factor authentication offering or is it too much of an overhead?

12. Are you happy with the price the organisation pays for tokens? Maintenance? Staff to maintain the existing two factor system?

13. When was the last time the organisation surveyed the market for alternative solutions?

14. How much would swapping to a new system cost? If the cost of swapping is less than the cost of redistributing new tokens and the ongoing costs are a fraction of the existing token based system why wouldn’t the organisation swap?

RSA's parent company ,EMC Australia, was approached for a response by Computerworld Australia but declined to comment.

Got a security tip-off? Contact Hamish Barwick at hamish_barwick at

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU

Join the CSO newsletter!

Error: Please check your email address.

Tags securityrsa

More about ANZ Banking GroupEMC CorporationIT SecurityRSAWestpacWestpac

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Hamish Barwick

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place