The Australian Attorney-General’s Department released the 2012 Cyber Crime and Security Survey on 18 February. Reading the press that accompanied it eg Cyber criminals struck one in five top Australian businesses, and similar surveys in past years, you might be forgiven for thinking that we are on the precipice of a cyber armageddon!
There is no denying that the threat, vulnerability and consequence of cyber attack to organisations is increasing steeply.
Luckily all is not lost, organisations can minimise their attack surface significantly. How, by taking a holistic approach to their information security which blends appropriate physical, personnel and IT security mitigations. This, with a well thought out response and recovery plan can produce layered security and lead to a resilient organisation able to sail the ‘cyber seas’ with confidence.
The survey in question was conducted on behalf of the Australian Computer Emergency Response Team (CERT.au), part of the Attorney-General’s Department. CERT’s 450 client organisations were sent the survey and 255 responded. Whilst the survey numbers are small and therefore become statistically unreliable very quickly, the clients of CERT.au are vital to Australia. Generally CERT.au client organisations are part of Australia’s critical infrastructure. They include utilities, telecommunications providers, financial institutions and also mining companies.
That said, there are some interesting figures.
- 22% of respondents (around 55) said that they knew that they had had a cyber incident in the last 12 months. Of more concern were that 9% of respondents reported that they “didn’t know”.
- 50% of respondents (ie 127) said considered that they had been subjected to targeted attacks.
The most common reported cyber incident was ‘loss of a notebook / mobile device’ ; followed by virus infection; trojan/rootkit; unauthorised access; theft /breach of confidential information; and denial of service attack. This seems odd, I find it difficult to reconcile loss of a laptop with hackers sitting in bunkers outside Shanghai and target key espionage targets. The concerning question is whether respondent companies are only seeing the easy to spot attacks ie missing laptop, computer not working because of virus etc and not the more sophisticated level, ie stealth attack that exfiltrates data to foreign lands.
The survey authors also reiterate an oft made point about the ‘trusted insider’ that
“Many companies spend the majority of their IT security budget on protection from external attacks. But the figures above serve as a reminder that internal controls and measures are also important, to ensure that internal risks are also managed”.
This is a relic of the perimeter approach to information security, the us and them approach. It doesn’t work anymore because the network has no discernible boundary in the modern interconnected organisation.
Delving further into the report it is interesting to look at contributing factors to attacks. The relevant table is replicated here. Almost all of the contributing factors can be wholly mitigated, with the possible exception of “attractiveness of your organisation to attack” and arguably “Sophisticated attacker skill which defeated counter-measures in place”.
Source www.cert.gov.au – Cyber Crime and Security Survey Report 2012
In any case, we sometimes forget that the spectrum of resilience involves prevention preparation, response and recovery. Organisations need to be agile, they need to work hard to prevent and prepare for loss or compromise of sensitive information, but accept that it is not possible to repel every attack. For this reason, resources need to be allocated to response and recovery.
Another important point is about the vital role of computer emergency response teams (CERTs). CERTs, are like the white blood cells in our bodies, they share information which help their clients protect themselves.
The other way to think about it is that the bad guys take advantage of the information superhighway by sharing information at the speed of light about vulnerabilities in different systems and new attack techniques, so why shouldn’t the good guys? I’ve written about this previously. The problem is always, that the bad guys have an advantage. As the IRA said after the Brighton bombings in 1984 which almost wiped out the then UK Prime Minister Margaret Thatcher….
So do the hackers.