news A major new study of the IT security habits and experiences of Australian organisations conducted by government group CERT Australia has found the majority did not suffer an IT security incident over the past 12 months, and those that did mainly suffered minor breaches such as the theft of a laptop of smartphone.
The results of the survey were released last week by Attorney-General Mark Dreyfus in a report published by Australia’s national computer emergency response team, CERT Australia, in coalition with the Centre for Internet Safety at the University of Canberra. In compiling the report (available in full online in PDF format), the University put some 24 questions, both closed and open-ended, to some 450 Australian businesses. 255 responded.
The report states that when asked if their organisation had experienced an IT security incident in the preceding 12 months, 69 percent of organisations responded that they had not, and a further 9 percent responded that they did not know. Only 22 percent of respondents reported that they had suffered an IT security breach.
Of those organisations which had suffered a breach over the past 12 months, the majority — 65 percent — reported that they had experiences between one and five incidents, with smaller percentages reporting that they had experienced more than that — 21 percent reported more than 10, and 9 percent reported between 6 and 10.
Of those organisations which had suffered a breach over the past 12 months, the most prevalent form of incident (32 percent) was the theft of a notebook, tablet or other mobile device. Similar numbers (28 percent) had suffered a fairly routine virus or worm infection. More serious intrusions, consisting of trojan or rootkit malware (21 percent) and unauthorised access (18 percent) were experienced on a lesser basis, while the theft or breach of confidential information was at 17 percent.
It did not appear in most cases that the organisations were aware of precisely why their organisations specifically had been targeted, with the highest suspected motive for the attachs being “non-targeted, unsolicited malicious damage” (17 percent), followed by indiscriminate attack (16 percent). Some organisations did suspect that the attacks were more precisely targeted, with 15 percent noting that they believed the motives for being attacked being illicit financial gain, 9 percent believing the motives to be ‘hacktivism’, 9 percent using the system for further attacks, and even 5 percent believing the attacks to be incoming from a foreign government.
The report gave three examples of IT security breaches which had taken place over the past several years. Of the three, two appeared to be fairly generic attacks which didn’t appear to target certain organisations as in cyber-espionage cases, while one appeared to be an inside job by a government contractor.
In the first example, CERT Australia noted it had received a series of calls from more than 25 organisations which had been targeted by so-called ‘ransomware’, where attackers broke in to an organisation, encrypted key files and/or locked the organisation out of some of their IT systems. They would then request the attacker pay a fine. These kinds of attacks are commonly perpetuated on small businesses, rather than large businesses.
“In the majority of cases, the attackers used Microsoft Remote Desktop Protocol as an entry point to the target network,” the report noted. “This was possibly using authentication credentials obtained by key loggers, or accessing systems with weak credentials.” The severity of the damage done in these cases varied, with the worst case seeing an organisation losing 15 years’ worth of “critical business data”.
In the second example, a number of Australian financial companies had been threatened with distributed denial of service attacks. “They had been called and threatened with an attack against their website, unless they made a payment,” the report stated. However, it appears that the organisations concerned were usually able to mitigate the attacks. DDOS attacks against major organisations are usually mitigated by making changes to the organisation’s external-facing network routing devices.
In the third example, two contractors to an un-named Western Australian government department had created “malicious software” and “subsequent commands” to hack network security controls at the department in an attempt to crack a file and reveal the user names and passwords of departmental staff. Both received prison time after an investigation by the Australian Federal Police, but it is not clear whether they did any actual damage to the department concerned.
It is not surprising that the pair were able to break into the government agency named; as they already had some degree of inside access. In addition, Western Australian government agencies are known to have poor IT security in general. In June 2011, for example, Western Australia’s auditor-general handed down a landmark report which detailed the fact that none of a wide range of government departments and agencies in the state were then able to prevent basic cyber-attacks against their IT infrastructure — or even detect that they had taken place.
The CERT Australia report also found that the majority of businesses which responded did have normal IT security policies in place to block potential IT security breaches, although more advanced IT security and forensic processes might be absent. The report stated:
“More than 90% of respondents reported using antivirus software, spam filters, and firewalls. More than 80% also reported using access control and virtual private networks (VPNs). IT security technology such as firewalls and spam filters are not always effective in preventing or detecting sophisticated attacks, so security techniques are increasingly incorporating the use of intrusion detection systems (IDS). Almost 60% of respondents reported using a type of IDS.”
“… basic security policies are being applied by the majority of surveyed organisations. For example, 84% deploy user access management, 79% perform media backup, 75% use documented standard operating procedures, and 73% have external network access control … Overall, 64% of respondents reported their organisation did apply IT security standards or guidelines.”
In a statement associated with the release of the report, new Attorney-General Mark Dreyfus claimed that it showed that cyber-attacks had “shifted from being indiscriminate and random to being more coordinated and targeted for financial gain”, despite the fact that the survey showed most respondents to the survey believed that the motivation for attacks to be indiscriminate, rather than targeted at a specific organisation. Dreyfus also de-emphasised the theft of mobile devices in his release, despite the fact that the report showed it was the most common IT security breach amongst respondents.
“The digital economy has opened up myriad opportunities for Australian businesses to deliver goods, provide services and communicate with people more effectively. But with every online opportunity comes the risk of criminal exploitation,” said Dreyfus. “CERT Australia, established by the Gillard Government, is working with closely with Australian businesses to create higher security standards, warning systems and a secure information sharing system to defend key organisations from cybercrime attacks. I encourage business to proactively take advantage of CERT Australia’s expertise – prevention is much better than cure.”
The situation we have here is simply fascinating.
CERT Australia’s report does not name by name any Australian organisation which has had its IT security breached over the past 12 months. Where it does give examples of organisations which have been breached, those examples are usually of fairly run of the mill broad-spectrum attacks which didn’t do much damage, rather than highly intelligent attacks aimed at specific infrastructure and which succeeded in doing major damage.
This is a report which finds that most Australian organisations have not been targeted by IT security attacks over the past 12 months. It also finds that where they have been attacked, the most common attacks have been theft of a laptop or smartphone (should that even be classed as an IT security breach?) or basic worm, virus or trojan attacks which have been widespread since the 1990’s.
Yet the language used in the report and by the Federal Government in announcing its findings seems precisely the opposite to what CERT Australia’s findings actually stated. Both the report itself, if you set aside the raw statistics, and the statements of Attorney-General Mark Dreyfus on the report, have been filled with alarmist language about the need for Australian organisations to place a higher emphasis on IT security.
I don’t disagree that they should: In fact, I certainly agree that any major Australian organisation must place a very high priority on IT security preventative measures, and even small businesses should have some basic IT security procedures in place.
However, that effort should be carried out in context, and with insight into the threat being faced. The simple fact, as this report demonstrates, is that most Australian organisations will not be targeted with IT security attacks over the next 12 months, and those that are attacked will usually be done so through broad-spectrum, mass blast style attacks using common viruses or trojans, for petty reasons. Plus, a lot of laptops and smartphones will be stolen — which should hardly come as a surprise to anyone.
Over the past few weeks, since I published several articles noting that I did not subscribe to the cyber-security fear factor being created by the Federal Government associated with the setup of the new and much-hyped Australian Cyber Security Centre (which, by the way, is almost exactly the same as the old one at the Defence Signals Directorate), I’ve received quite a few emails from concerned IT security workers worried that I’m understating the case about IT security issues in Australia.
Well, here’s the evidence that I’m not. Yes, it’s true that there are huge IT security issues in a small number of organisations which are being precisely targeted through intelligent attacks trying to steal corporate or government information; and yes, sometimes competitive or foreign interests are involved. But this CERT survey clearly shows that such attacks are far from being the norm; in fact, they are the extreme outlier case. The vast majority of Australian organisations are not currently being targeted by intelligent cyber-attacks at all.