One in five Australian enterprises have found a rootkit on the corporate network.
This alarming figure is revealed in the 2006 AusCert Computer Crime Survey in a survey which drew responses from almost 400 companies in Australia.
For the first time, AusCert has segregated the category of "virus, worm or trojan infection" into two specific categories, virus or worm infection and trojan or rootkit infection. As a result, the survey found 21 percent of respondent companies' networks were hit by a rootkit while 45 percent had experienced a virus or worm
AusCert general manager Graham Ingram says the figure for rootkit infection is "disproportionately high".
Ingram said that in the past, enterprises viewed trojan and rootkit infection as a home PC issue.
Malicious code sidesteps detection
More than 60 percent of today's malicious code goes undetected by antispam and antivirus tools at work in business, despite their use by 98 percent of organizations.
Hackers are yesterday's news, according to the 2006 AusCert Computer Crime Survey.
Today, organized crime is pushing an agenda of malicious code which, Ingram said, has changed the corporate landscape.
"We have always dealt with very large numbers from worm and virus infections, but trojan and rootkit activity has always been hidden and this year one in five enterprises are getting hit by trojans or rootkits," he said.
"When the amount of malicious code in the form of trojans or rootkits that's commonplace today is compared with the adoption of antivirus and antispam hardware (respondent enterprises reported use of either or both), then such security technology is [apparently] rendered useless against rootkits."
This makes the survey results nothing short of alarming.
The problem is made worse, Ingram said, because of a serious shortage of IT security skill sets available in Australia.
Enterprise workers are extremely dissatisified with the level of qualifications and training for IT security staff, he said. "Only a small percentage of respondents believe they are managing security practices well," Ingram said.
"The use of security standards also has a low adoption in Australia."
The good news from the survey is that Australia has seen the lowest level of Internet-based attacks in four years with only 22 percent of survey respondents reporting an electronic attack that "harmed the confidentiality, integrity or availability of network data or systems". The figure was 35 percent in 2005.
However, the discrepancy has been noted in the survey, which says the "reduction in electronic attacks, coupled with the reduction in the "readiness-to-protect" factors is a puzzling combination" that may be described by the increased sample poll to include sectors not as heavily reliant on IT, such as manufacturing.
The sample poll in the manufacturing sector increased 8 percent in 2006, from 11 percent in 2005.
Convictions still don't measure up
Only 19 percent of all respondents (389 in 2006, 181 in 2005) who had reported a computer crime to law enforcement said it resulted in charges being laid.
Kevin Zuccato, managing director of the Australian High Tech Crime Centre, said 19 percent is a very good figure, considering what investigators are up against.
Zuccato said online security and policing needs to deal with hundreds of thousands of small crimes that collectively add up to a large figure as opposed to one crime that nets a profit.
He said 19 percent is a positive figure, given the additional challenges the Internet provides law enforcement when it comes to prosecution.
"With this type of offence jurisdictionally and legislatively it is difficult to get the information and timeliness that we need and to be in a position to use the information as evidence," Zuccato said.
"We are not talking about just protecting Australia, but an environment that has been created that sits beside the real world.
"Now, high volume crime uses the Internet to propagate [their environment] and criminals now want stealth so they are using rootkits as the [latest] thing."
The stats in a nutshell
The survey drew 389 responses from both private and public sectors; 51 percent of respondents were from the public sector Of the total, 42 percent of respondents worked in an organization earning between $10 million and $100 million gross annual income.
- Trojan or rootkit infections: 60 percent in public sector, 40 percent in private sector
- Average financial loss for electronic attack, computer crime or computer access misuse increased to 63 percent compared to 2005, averaging $241,150 per organization. The 2004 average loss was $153,245.
- Only 50 percent of companies increased IT security spend in 2006, compared to 68 percent in 2005 and 70 percent in 2004. 51 percent of organizations that spent up to 5 percent of the IT budget on security thought this figure was inadequate.
- Only 47 percent of respondents use IT security standards (ISO 17799 etc) compared to 65 percent in 2005.
- One respondent reported theft or breach of private data amounted to a $40 million loss.