A penetration test of 200 of Australia's largest enterprises has found severe network security flaws in 79 percent of those surveyed.
The tests, undertaken by University of Technology Sydney (UTS), saw 25 non-IT students breach security infrastructure and gain root or administration level access within the networks of Australia's largest companies, using hacking tools freely available on the Internet.
The students - predominately law practitioners - were given 24 hours to breach security infrastructure on each site and were able to access customer financial details, including confidential insurance information, on multiple occasions.
High-level business executives from the companies surveyed, rather than IT staff, were informed of the tests so the "day-to-day network security" of businesses could be tested.
Faculty of Law lecturer and LogicaCMG chief security officer, Ajoy Ghosh, who commissioned the test said students were able to breach 24 enterprises or 12 percent in less than an hour, in fact most systems were foiled in the first few minutes.
"More than half of those that passed the penetration test had freeware Intrusion Detection Systems (IDS), notably Snort; we only had two responses from security teams even though sites were down for more than an hour," Ghosh said.
"Organizations that couldn't be penetrated typically had Web servers were on hardened operating systems and many had done code reviews on Web pages and installed apps."
Ghosh pointed out that one in three intrusions occur on networks already protected by certified gateways, even those certified by government common criteria."
Most of the 21 percent of companies who passed the penetration tests owed their success to freeware Intrusion Detection Systems (IDSs), according to Ghosh.
"Over half of those that passed the test had freeware IDSs and already had or were implementing an Information Security Management System (ISMS)," he said.
"This proves that it's not costly to implement an IDS."
An equal distribution of Microsoft, Apache and Domino servers were used by the successful 21 percent.
High Tech Crime Centre federal agent Nigel Phair said it is "almost impossible" to collect accurate data on online security breaches because of the secrecy of the private sector.
"It is easier to sweep intrusions under the carpet and bring in a consultant to mop it up [than] to go to the Police," Phair said.
"People stand close to ATMs so they don't expose their passwords, but they do not apply real-world sensibilities in online environments.
"Users buy computers with antivirus as [OEM], but don't bother renewing updates and think they are still protected."
He said awareness of cybercrime has suffered from a lack of holistic security surveys, such as the recently-scrapped AusCERT Computer Crime and Security Survey, which Phair said has "left a hole" in the industry.
Have an opinion on this story? Click to e-mail Darren Pauli.
Read up on the latest ideas and technologies from companies that sell hardware, software and services. Taking On Demand CRM Integration to the Next Level
Best Practice in Building an Integrated Information Management Strategy
CRM your salespeople will love
Making the Business Case for IT Consolidation
Everything you need to know about email and web security (but were afraid to ask)
Achieving the impossible: Unlimited application scalability
Delivering the Power of Choice with Microsoft Dynamics CRM
Business Intelligence and Enterprise Performance Management: Trends for Emerging Businesses
Zones provide focussed content from Computerworld and leading technology partners.
Discover how SOA can create smarter outcomes for your business.
Attend and learn:
- How SOA is helping leading companies to become more agile
- Where you should be applying SOA processes in your company
- The top SOA implementation mistakes to avoid
Click here for more information.
- +
Computerworld Live Podcast #97: The Future of Enterprise Networking 25/07/2008 09:45:36
This week CW Live chats with Mark Thompson, global sales and marketing manager for HP ProCurve, on the future of the enterprise networking. Mark discusses the trends we can expect to see in the near future and how the right infrastructure can ensure your enterprise network is secure. - +
Computerworld Live Podcast #96: Security at the Edge 11/06/2008 09:22:22
CW Live speaks with Amol Mitra, HP ProCurve Director of Marketing for Asia Pacific and Japan. Today's topic: how enterprises are starting to shift away from simply controlling security via server logins, firewalls and moving to more adaptive security frameworks. - +
Data Management Edition #10: Multi-Petascale Systems 02/05/2008 09:12:33
This week we look at sustainability and the development of multicore technologies to build multi-petascale systems. - +
IT Security Edition #11: How to poison the Storm botnet 01/05/2008 08:51:55
This week CW Live presents a case study on how to poison the notorious Storm botnet . Plus we take a look at Cisco's plans for Ironport. - +
IT Security Edition #10: Cyber-battles fought and won 24/04/2008 11:09:47
Vendors bow to end user pressure to improve product security, and we take a look at the latest concepts shaping the cyber-battlefield of the future.
FrontRange Solutions launches HEAT Plus Mobile to reduce help desk costs and improve service management productivity 2008-12-02 15:15:00+11
AARNet Helps to Advance Indigenous Health 2008-12-02 12:44:00+11
Orbis selects Telstra International as its data centre partner for the UK, Europe and Middle East Region 2008-12-02 11:23:00+11
ComOps Deploys Corporate Performance Reporting Solution For Healthcare Test Manufacturer 2008-12-02 10:09:00+11
Mornington Peninsula Shire implements Objective to manage knowledge and deliver service excellence 2008-12-02 09:56:00+11
Still Sneaking In: The Threats Your Security Tools Aren't Telling You About
Web 2.0 applications are all the rage, offering us tremendous value when it comes to collaboration and communication. They also open us up to new kinds of attacks however, and can cause problems in keeping systems and data secure. Read on to learn about the new attack methods and how you can defend yourself and your business.
Buying Guides
Latest Products
