Cybersecurity – keep your head

The Australian Attorney-General’s Department released the 2012 Cyber Crime and Security Survey on 18 February. Reading the press that accompanied it eg Cyber criminals struck one in five top Australian businesses, and similar surveys in past years, you might be forgiven for thinking that we are on the precipice of a cyber armageddon!

There is no denying that the threat, vulnerability and consequence of cyber attack to organisations is increasing steeply.
Luckily all is not lost, organisations can minimise their attack surface significantly. How, by taking a holistic approach to their information security which blends appropriate physical, personnel and IT security mitigations.  This, with a well thought out response and recovery plan can produce layered security and lead to a resilient organisation able to sail the ‘cyber seas’ with confidence.

In the IT space, doing the basics well can protect against all but the most sophisticated attacks
In the IT space, doing the basics well can protect against all but the most sophisticated attacks

The survey in question was conducted on behalf of the Australian Computer Emergency Response Team (CERT.au), part of the Attorney-General’s Department. CERT’s 450 client organisations were sent the survey and 255 responded. Whilst the survey numbers are small and therefore become statistically unreliable very quickly, the clients of CERT.au are vital to Australia.  Generally CERT.au client organisations are part of Australia’s critical infrastructure. They include utilities, telecommunications providers, financial institutions and also mining companies.

That said, there are some interesting figures.

  • 22% of respondents (around 55) said that they knew that they had had a cyber incident in the last 12 months. Of more concern were that 9% of respondents reported that they “didn’t know”.
  • 50% of respondents (ie 127) said considered that they had been subjected to targeted attacks.

The most common reported cyber incident was ‘loss of a notebook / mobile device’ ; followed by virus infection;  trojan/rootkit; unauthorised access; theft /breach of confidential information; and denial of service attack. This seems odd, I find it difficult to reconcile loss of a laptop with hackers sitting in bunkers outside Shanghai and target key espionage targets.  The concerning question is whether respondent companies are only seeing the easy to spot attacks ie missing laptop, computer not working because of virus etc and not the more sophisticated level, ie stealth attack that exfiltrates data to foreign lands.

The survey authors also reiterate an oft made point about the ‘trusted insider’ that

“Many companies spend the majority of their IT security budget on protection from external attacks. But the figures above serve as a reminder that internal controls and measures are also important, to ensure that internal risks are also managed”.
This is a relic of the perimeter approach to information security, the us and them approach. It doesn’t work anymore because the network has no discernible boundary in the modern interconnected organisation.

Delving further into the report it is interesting to look at contributing factors to attacks. The relevant table is replicated here. Almost all of the contributing factors can be wholly mitigated, with the possible exception of “attractiveness of your organisation to attack” and arguably “Sophisticated attacker skill which defeated counter-measures in place”.

Source www.cert.gov.au  – Cyber Crime and Security Survey Report 2012

In any case, we sometimes forget that the spectrum of resilience involves prevention preparation, response and recovery. Organisations need to be agile, they need to work hard to prevent and prepare for loss or compromise of sensitive information, but accept that it is not possible to repel every attack. For this reason, resources need to be allocated to response and recovery.

Another important point is about the vital role of computer emergency response teams (CERTs). CERTs, are like the white blood cells in our bodies, they share information which help their clients protect themselves.
The other way to think about it is that the bad guys take advantage of the information superhighway by sharing information at the speed of light about vulnerabilities in different systems and new attack techniques, so why shouldn’t the good guys? I’ve written about this previously.  The problem is always, that the bad guys have an advantage. As the IRA said after the Brighton bombings in 1984 which almost wiped out the then UK Prime Minister Margaret Thatcher….

“Today we were unlucky, but remember we only have to be lucky once”

So do the hackers.

Alex

Back To Top

Published by

Alex Weblng

BSc, BA (Hons), Gdip Comms, GdipEd, ZOP

Alex has 20 years of experience in the Australian Government working in the fields of national security, information and cyber-security, counter-terrorism, , nuclear science, chemical and biological security, protective security and critical infrastructure protection, identity security, biometrics, and resilience.

Alex was the foundation Director of the Australian Government computer emergency response team, GovCERT.au (later CERT Australia). He developed and project managed a world first program to train CERTs in developing APEC countries.

Alex set up the Trusted Information Sharing Network Resilience Community of Interest in 2008 and produced the first Australian Government Executive Guide to Resilience.

Head of Protective Security Policy in 2010, Alex was responsible for launching the revised Protective Security Policy Framework and the single information classification system for the Australian Government.

Alex has both significant experience and tertiary qualifications in the CBRN (Chemical, Biological, Radiological and Nuclear) area. He was head of the Chemical Security Branch of the Attorney-General’s Department; responsible for nuclear policy during the construction of the Australian OPAL reactor; and represented the Attorney-General’s Department in the Security Sensitive Biological Agents development process, bringing to it a pragmatic, risk driven approach.

As Director of Identity and Biometric Security Policy, Alex was responsible for developing the successful proposal to expand the Australian Document Verification Service into the private sector in 2012.

Alex has been a member of the Australasian Council of Security Professionals since 2011 and a registered security professional in the area of Security Enterprise Management with the Security Professionals Register of Australasia.