The Federal Government’s peak security agency has recommended departments and agencies accept the offer by troubled security vendor RSA for replacement copies of its SecurID keyfob identification tokens, as the fallout over a security break-in to RSA’s headquarters continues to be felt in Australia.
The SecurID platform sees small devices commonly known as ‘keyfobs’ distributed to staff and customers of major organisations, who then use the randomised codes which they create to authenticate their credentials when they log in to sensitive systems such as internet banking platforms or government systems which hold vast swathes of data about citizens.
However, following a remote attack on its head offices in the US and a subsequent attack on its customer Lockheed Martin, RSA has offered to replace the tokens globally. Locally, organisations such as Westpac and ANZ Banks and the Australian Taxation Office have taken up the offer, although others such as the Commonwealth Bank and NAB have so far declined, believing their security is sufficient to weather the storm.
The Defence Signals Directorate, the agency responsible for setting security policies across the Government, this morning revealed it had taken a conservative approach to the problem.
“The Defence Signals Directorate (DSD) has recommended Australian Government agencies that use SecurID products to protect sensitive or classified information accept RSA’s offer to replace the tokens,” a spokesperson said. DSD sits within the Department of Defence.
The tokens are used within Defence by the Defence Science and Technology Organisation to provide access to Defence’s secure Information Environment.
Although Defence noted it had a multi-layered security process in place, and the risk assessment from the potentially tainted tokens was classified as “low”, the DSTO will accept the DSD’s advice and replace the RSA tokens — although it did not say how many units were in operation.
In the meantime, Defence has put in place a number of interim measures in place.
“DSTO is managing the risk in accordance with the advice to government agencies provided by both RSA and DSD, and its own established security procedures,” the spokesperson said.
“All DSTO users have received advice on the issue, the security measures in place, and the steps that they must take to mitigate any risks. There is no evidence to suggest that the intrusion at RSA has compromised DSTO information and DSTO networks are constantly monitored.”
Not everyone agrees that changing the tokens over will resolve the potential security problem the hack attack created, however. Yesterday afternoon, Paul Ducklin, the head of technology for the Australian division of RSA rival Sophos, slammed RSA for not properly disclosing what the actual security break-in had entailed at the company, stating that all RSA had done was allow the industry to speculate about what the problem might be.
Because of this, Ducklin said, changing over the tokens might be an ineffective solution. “If you ate “one burger with expired meat”, then went back for more at the same restaurant, the executive argued, “you’re taking a gamble that next time the meat happens to be fresh”.
An Australian spokesperson for RSA yesterday declined to comment on the issue.