RSA has admitted it is still a few months away from replacing all of its customers' SecureID tokens in the Australian market. The company also says that the March 2011 attack was by a nation state.
Australia/NZ general manager, Andy Solterbeck, told Computerworld Australia that the company has "a few months to go" before all the tokens are replaced.
The company has offered large customers, such as ANZ Banking Group, an early renewal of their contracts along with new devices, while smaller users were able to get free contract extensions. It has also offered to help with risk mitigation.
"We’ve attempted to contact every single customer that we have installed in the Australian market and if we haven’t been able to reach them than we ask them to reach out to us," Solterbeck said.
While RSA does not break out its customers on a regional basis, he said that 10 per cent of its global customer base had decided to replace their RSA tokens.
“We have thousands of customers in Australia and the number of customers here who have chosen to replace their tokens is slightly higher than the global number," he said.
"The reason is that in Australia, the level and degree of reporting was much higher than any other country globally."
He added that the number quoted in some news reports of $US1 billion to replace all the tokens was “nowhere near the true amount” but RSA was “not at liberty” to say what the true cost was.
Solterbeck said there was "no question whatsoever" that the company suffered a nation-state-orientated advanced persistent threat (APT) attack.
"The reason we say that was because of the level of the sophistication of the attack and specifically what they went after," Solterbeck said.
“We believe that we were one of the only commercial organisations that caught an APT in flight. Unfortunately we didn’t stop it in time but we did see it,"
One of the tools that helped RSA discover the APT was Netwitness, which is a full packet capture forensics engine that allows organisations to see every packet that goes across the network. RSA acquired Netwitness in April.
The information taken from RSA was than used in an attempt to infiltrate US defence contractor, Lockheed Martin. Lockheed Martin was forced to pull access to its private virtual access network after hackers compromised the SecureID technology.
According to Solterbeck, Lockheed Martin still remained the only incident it knew of that used information taken from RSA.
"The attack on Lockheed was unsuccessful; they actually mitigated the attack, partly because they implemented some best practice methods we recommended, such as breach mitigation," he said.
RSA is now warning others not to be compromised in the same way it was.
"Organisations need to change their security posture from one of perimeter based defence such as firewalls and antivirus, which are important, from one to where you assume you have been breached," Solterbeck said.
"What an organisation needs to work out is how they locate that breach and mitigate breaches both from a governance perspective and from a technology perspective."
Within RSA ANZ, the company is moving into desktop virtualization because, according to Solterbeck, this will increase the level of security around the end user environment.
“We’ve even more aggressively segregated our network infrastructure and increased the rigour in terms of security incident management as a process inside the organisation," he said.
While the company will continue to sell SecureID tokens, it is also looking to other areas of the business such as software tokens and risk-based authentication for growth opportunities. Risk-based authentication is used by banks to check where customers who are using internet banking are logging in from and what cookies they have enabled.
"If they are suddenly in a different country and using a different PC than they will flag that and make people step up to change their authentication," Solterbeck said.
When asked his thoughts on companies such as CA and Netsafe that also sell tokens targeting its customers with advertising campaigns, he acknowledged that it was a "commercial world" and other security companies had every right to do what they needed to in order to run a business.
"All I will say is that our business had a record quarter last year and a record quarter this year from a SecureID perspective," he said. "We haven’t seen significant impact from that kind of campaign."
RSA was asked for comment on the news report that it had been compromised by a spear phishing email but declined to comment.
Got a security tip-off? Contact Hamish Barwick at hamish_barwick at idg.com.au
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow Computerworld Australia on Twitter: @ComputerworldAU