The news isn’t good. Security breaches and worm, virus and Trojan attacks are all soaring. And the bottom line is remarkably simple — no business is safe unless the correct security policies and technologies are in place. Sarah Stokely breaks down the grim truths revealed in the 2003 Australian Computer Crime and Security survey and looks at some remedies.
The fourth annual snapshot of the Australian computer crime and security landscape has been taken, and the resulting picture suggests that the cost to business of failing to adequately protect itself has doubled.
The 2003 Australian Computer Crime and Security (ACCS) survey paints a picture of organisations that are largely dissatisfied with their in-house security management and skills, and are spending more on security in an environment where the financial toll of computer crime has doubled in the past year.
According to the survey the cost of security breaches has doubled since 2002 — and virus, worm and Trojan attacks are on the rise. Forty-two per cent of organisations surveyed had experienced at least one computer attack that harmed the “confidentiality, integrity or availability of network data or systems”.
The survey, conducted by AusCERT with Federal and State police, covered 200 private and public sector organisations throughout the public and private sectors. Fifty-two per cent of these were small to medium-sized businesses (SMBs) of up to 499 people, but they tended to be asset-large — only 39 per cent of the organisations surveyed had income/expenditure under $100 million.
While 67 per cent of respondents had increased their security spending in the past year, they also indicated they were very much aware of their need for better security management, and of their own in-house limitations in this regard.
Only 11 per cent felt they were managing all computer security issues “reasonably well”, and 38 per cent were dissatisfied with the level of IT security qualifications, training or experience within their organisations.
As organisations plan to spend more and become aware that their in-house management and skills are lacking, there appears to be an opportunity for resellers and IT security providers to bridge that gap.
External attacks on the rise
The overall number of reported incidents was less this year but, to some extent, the decrease reflects the wording of the survey questions.
When questioned about security incidents, 42 per cent of respondents had experienced “an attack against a computer or network which harmed the confidentiality, integrity or availability of network data or systems”. In 2002, when the definition was less stringent (“an attack against a computer or network, either real or perceived”) 67 per cent were affected.
But while the number of incidents aren’t easily compared year-on-year due to the the changed definition, the 2003 survey did show the growth in external attacks continued to outpace the insider threat.
Of the 42 per cent of organisations that reported incidents, 91 per cent said they came from outside, while only 36 per cent came from within.
According to managed security provider; SecureNet, while the incidence of external attacks is growing, they are also moving towards targeted rather than random or opportunistic attacks.
Managing director, Geoffrey Ross, said that through its government-accredited high security Trust Centres, SecureNet ran “the largest gateway in the country”.
“In a month we see about two million attacks which we have to repulse,” he said. “We are seeing a fairly high proportion of targeted attacks — of those two million, 50 per cent are targeted.”
Citing security reasons, Ross declined to be drawn on the nature of the targeted attacks, but said that “a good proportion” originated outside Australia.
What kinds of attacks are occurring
The most common types of computer attack, crime or misuse detected by those in the survey were virus/worm/trojans (80 per cent), insider abuse of Internet, email or computer resources (62 per cent) and laptop theft (53 per cent).
In most categories the percentage of businesses affected was down from last year. Both insider abuse of resources and laptop theft were down nearly 20 per cent, compared to last year.
But the largest threat — virus, worm and trojan attacks — is growing in both regularity and cost. Eight in 10 companies were affected (up from 76 per cent last year). The number of companies suffering financially from these infections was also up: 57 per cent suffered financial loss as a result — up from 43 per cent. This was despite high use of antivirus software and policies for developing controls against malicious software.
How much damage do they cause?
Worryingly, while the surveyed companies reported less security incidents overall, the associated costs had doubled from the year before. The quantified losses leapt from $6 million in 2002 to about $12 million this year.
The greatest sources of loss were financial fraud, laptop theft and virus, worm and trojan infections.
Financial fraud caused the greatest loss, costing more than $3.5 million for the year, almost four times more than in 2002.
This meant on average, financial fraud cost each business $440,000.
The result surprisingly suggests that computer fraud is a greater problem in Australian than it is in the US, Computer Associates’ security specialist, Daniel Zatz, said.
“The US just released their equivalent CSI/FBI survey, with exactly the same questions that AusCERT asked,” he said. “I found it interesting that financial fraud didn’t rate as high over there — it was third or fourth highest, with an average loss of about $328,000.”
Why isn’t it working?
While human error has long been the bugbear of computer security, the changing nature of computer attacks and viruses also plays a part.
The fact that the ACCS survey showed an increase in virus, worm and Trojan attacks, despite almost saturation usage of firewalls and antivirus software, suggests that security policies and technology need to keep pace with the evolution of computer crime.
Security hotspots include wireless security, access and identity control, and vigilance over partner and customer security.
The evolution of increasingly complex viruses demands the evolution of network security measures, according to Network Associates Asia-Pacific marketing director, Allan Bell.
New “blended” viruses, such as the latest Bugbear virus, that uses a combination of methods to try to attack a network, meant that multiple layers of network protection were necessary, Bell said.
“The issue is that organisations have been using a technology to defend themselves which is hard and crunchy on the outside,” he said. “But networks are becoming porous. And there are a number of organisations who don’t have a picture of their network.”
The increasing adoption of wireless technology, in conjunction with poor network management, was creating weaknesses in this “porous” network, Bell said.
In addition, with the ease of installation of some wireless technologies, employees were able to add wireless functionality to their desktop or remote location without the knowledge of their IT manager — leading to blind spots in the organisation’s security management.
As the use of wireless technology grew, the potential exploitation of insecure wireless access points was still a concern, according to SonicWall’s regional manager, Australia/NZ, Randy Prado.
The company’s new SOHO TZW product was the first to apply IPSec technology to secure wireless access, he said.
By using the integrated 802.11b protocol, the product is able to give the ability to segregate users from one another. Prado said this would solve the security weakness in wireless hotspots which meant that wireless users who hadn’t turned off the peer-to-peer session on their laptop were enabling others to piggyback on their session back to their office network, he said.
Poor security cultures both within organisations and at their shared perimeters with partners and customers also gives rise to lapses in security.
Policies including identity management were a considerable weakness within many organisations, according to regional manager, IBM Tivoli Security, Australia/NZ, Con Yianakos.
Poor control of employee network access left the door open for abuse, he said.
“Many attacks — anything up to 40 per cent — are through accounts already authorised to be inside the network,” Yianakos said. “Often up to 50 per cent of active accounts are orphans.”
The ACCS survey highlighted a number of security issues that are potential legal minefields for businesses. These include cases highlighting the need to take reasonable security steps in order to prosecute for breaches, and the need to enforce acceptable use policies.
Civil liability for e-security breaches is another hot issue. The survey pointed out that legislation is still lagging when it comes to IT and computer crime — pointing to the Western Australian Criminal Code that fails to make information theft a crime.
The shortcomings of the legislative approach to computer crime was a reminder to focus on prevention rather than cure, Computer Associates security specialist, Daniel Zatz, said.
“We have a misperception of what security is about,” Zatz said. “We think the law is going to protect us, we think it’s a safety net ... it’s not.”
Organisations are also becoming aware that policing their own networks isn’t enough, according to Network Associates marketing director for Asia-Pacific, Allan Bell.
“The issue is becoming not just security for your organisations but also that of your suppliers and partners,” Bell said. In some cases, companies are out of pocket even when they’ve done nothing legally wrong.
Bell points to last year’s fraud at DBS Bank as an example.
In June 2002, a hacker accessed the online banking details of 21 customers of the Singapore bank, and transferred $AU53,600 into his own account.
The customer’s computers had been infected with a virus which left a Trojan that captured their online banking passwords. Without penetrating the bank’s security, the hacker was able to obtain customer banking details and transfer money into his own account.
The account details were taken from the weak link in the security chain — the customers. The bank itself didn’t have its security compromised, but still refunded customers and spent money on a campaign encouraging customers to use antivirus software.
The case highlighted the need for vigilance on behalf of customers and partners, Bell said.