The Federal Government’s peak security agency has recommended that departments and agencies accept the offer by troubled security vendor RSA to replace copies of its SecurID key fob identification tokens.
The SecurID platform sees small devices commonly known as "key fobs" distributed to staff and customers of major organisations, who then use the randomised codes created by the fobs to authenticate their credentials when they log in to sensitive systems such as internet banking platforms or government system.
However, following an attack on its head offices in the US and a subsequent attack on customer Lockheed Martin, RSA has offered to replace the tokens globally. Locally, organisations such as Westpac, ANZ Bank and the Australian Taxation Office have taken up the offer, although others such as the Commonwealth Bank and NAB have so far declined, believing their security is sufficient to weather the storm.
The Defence Signals Directorate, the agency responsible for setting security policies across the government, revealed this morning that it had taken a conservative approach to the problem.
“The Defence Signals Directorate (DSD) has recommended Australian government agencies that use SecurID products to protect sensitive or classified information accept RSA’s offer to replace the tokens,” it said. DSD sits within the Department of Defence.
The tokens are used within Defence by the Defence Science and Technology Organisation to provide access to Defence’s secure Information Environment.
Although Defence noted that it had a multi-layered security process in place, and the risk assessment from the potentially tainted tokens was classified as “low”, the DSTO will accept the DSD’s advice and replace the RSA tokens — although it did not say how many units were in operation.
In the meantime, Defence has put in place a number of interim measures.
“DSTO is managing the risk in accordance with the advice to government agencies provided by both RSA and DSD, and its own established security procedures,” the spokesperson said.
“All DSTO users have received advice on the issue, the security measures in place and the steps that they must take to mitigate any risks. There is no evidence to suggest that the intrusion at RSA has compromised DSTO information and DSTO networks are constantly monitored.”
RSA yesterday declined to comment on the issue.