One in three Australian companies last year suffered some form of computer abuse, one in five lost or had their data changed, and for almost one in 20 the attack cost them more than $100,000. A new survey by Deloitte Touche Tohmatsu and the Victorian Computer Crime Squad, released in February, found also that organised data attacks are on the rise, leaving little room for corporate complacency. Beverley Head examines Australian organisations' vulnerability to orchestrated attacks on their information systems.
Information privacy and information integrity are the twin pillars of a successful IT strategy. Without secure and accurate information, systems management may no longer be able to make the wisest business decisions, client confidence could be compromised, and supply chains may crumble. Once an organisation starts doing business over the Internet the security risks are much magnified. For three out of five Australian businesses their information systems are rated more vulnerable to attack now than they were a year ago. But the safeguards to protect corporations are not advancing at the same speed as are the risks, and security experts warn of some alarming vulnerabilities associated with Australia's information systems. Although 70 per cent of Australia's senior managers rate information security as important, or extremely important, almost a third of companies have no formal security policies, and a full 45 per cent of companies have no budget allowance whatsoever for information security. That was one of the stark findings in the 1998/99 Global Information Security Survey conducted by Ernst & Young.
Professor Jennifer Seberry from the University of Wollongong wasn't in the slightest bit surprised. "My gut feeling is that people have a great deal of trouble getting the message through to the top of their company," she warns.
Although chief information officers have a keen understanding of the issues, their superiors might not.
Yet those same superiors might set in place strategies to place much more of a business online to conduct electronic commerce with customers and suppliers.
Without a well thought through and tested information security policy, it's like walking the high wire without a safety net. "People are generally using the Internet and underestimating [what impact it could have on them]," Seberry says. Most at risk, she warns, are the small businesses of Australia. "I'm surprised at how little they [companies with up to around 50 employees] know and how ill-prepared they are." But it's not just small organisations at risk.
Ernst & Young found that 90 per cent of all organisations rated their security, related to the Internet, as "poor". Sixteen per cent reported a break-in, or a suspected Internet break-in, in spite of the overwhelming majority of companies having installed firewalls. Garry Dinnie, national director of Ernst & Young's information systems assurance and advisory services, says that the smart companies are the ones which explore security as a competitive differentiator.
"Security has been seen as an overhead; but now with e-commerce it could be seen as a means to differentiate a company from a competitor.""[Right now], I think there's a reasonable level of vulnerability", Dinnie says. In part, he believes, this is because only a very small number of Australian organisations have formally measured their exposure to attack or misdemeanour. In fact, only 17 per cent of the organisations Ernst & Young surveyed had assessed their technical vulnerability. "If asked, a lot of CIOs would say they have a reasonable level of security," Dinnie says. "In many cases that may be true; but they might not know it's true, because they haven't fully assessed it." And Dinnie warns that any organisation which has assessed the risks, and has a policy in place, cannot remain complacent. Security policy and training must be regularly reviewed. "It's no use having a policy to protect a closed network if you now have Internet access," Dinnie warns. One organisation keenly aware of the risks associated with unauthorised computer access over the Internet is the Queensland-based Auscert (the Australian Computer Emergency Response Team). The company bills itself as a "clearing house" for dealing with Internet security issues and incidents. It claims to "minimise the likelihood of successful attack, reduce the direct costs of security to organisations and minimise consequential damage in the event of a security breach". The company has 225 clients on its books, mostly in the banking and finance sector or from commonwealth and state governments.
Eric Halil, a senior security analyst with the company, says that one of the common threats Internet users are now experiencing is the so-called "denial of service". This occurs when a malicious individual overloads a network to the degree that legitimate users of the network can't get access. The victimised company finds employees can't work, suppliers can't supply, or customers can't buy. It's a recipe for business failure -- and pronto. As Rob McMillan, another of Auscert's senior security analysts, puts it: "If your business is dependent on the Web, then a week of downtime is catastrophic."While the denial of service attack might not actually involve a break-in to the computer, it does lead to a severe business problem. The problem can be compounded should the attacker then program his or her machine to masquerade as a company's authentication server. It's the technical equivalent of Ali Baba shouting: "Open sesame". The jewels in this case, though, are the corporate information banks. And there are plenty of would-be Ali Babas out there.
Auscert claims that in 1998 it dealt with about double the number of incidents that it dealt with in the previous 12 months, itself about twice the number in 1996. McMillan worked with Cert US in the US until April 1998 and says the annual doubling effect in Australia is in line with the US experience.
The calibre of the break-ins is also on the rise, as "there has been a dramatic increase in the level of expertise in the intruder community", he says. This is again an international phenomenon. McMillan claims that perpetrators are driven by a range of factors: from "straight out curiosity, right up to political and industrial espionage". The threat of outside attack remains one of the most potent images for CIOs. Ernst & Young's report found that hackers (53 per cent) and unauthorised users (49 per cent) outrank the threat which companies attribute to disgruntled employees (31 per cent). Hackers certainly get the worst press -- but even hackers can't be stereotyped. Auscert's Halil attended Defcom last year, the Las Vegas-based hackers' conference. Any notion that a hacker can be pigeonholed was swiftly dispelled. "They ranged from script kiddies who have no idea, to people with a firm foundation of the Internet and the operating system," Halil says. But even the novice hacker poses a real threat today, with one Web site alone providing 300 hacking 'tools' available for immediate download.
Even so, to date most financial damage from security abuse is not due to hack attacks, but is wreaked by unhappy employees -- ex or otherwise. GartnerGroup information security analyst William Malik says that "when it comes to information security, people are not only an enterprise's most important investment, but may also be its most dangerous liability". Malik has published a useful information security self-assessment "test", which goes some distance towards helping identify weak links in an organisation's security strategy. In essence it asks three questions: - Would the employee know if a computer activity was wrong? - Would the employee choose to report the misuse of the system? - Would the employee know how to report the incident? GartnerGroup argues that if the answer to each question is Yes, then the employees will ensure that the security regime the company deploys will work. If there is a No answer to any question, however, the employees would circumvent any security controls in place. Seberry concurs. "You can have wonderful security and firewalls, and then you get someone who wants to work from home, who hooks into the system -- and there's your open door. And it's often because people don't realise what they're doing, that they are making the system vulnerable."When it comes to pure access there are three obvious levels of control. There is "what you have" (for example, a magnetic stripe card or a smart card) coupled with "what you know" (such as a PIN number); and last, "who you are", which demands biometric techniques such as fingerprint scanning, signature verification, or voice recognition. For some applications all three in concert will be necessary to ensure the highest levels of access control. While access can be better controlled, simple old-fashioned theft also remains a nagging issue, especially when corporate data goes missing along with the machine. The NSW Bureau of Crime Statistics and Research estimates that $200 million worth of computers has gone missing over the last three years, with notebooks being a popular item. Not counted in the raw $200 million figure, however, is the expense of lost data. Good management practices such as regular backups help keep such losses in check, and encrypting data routinely is also a protection against the information ending up in the wrong hands.
Encryption also affords a level of information privacy to organisations' employees and clients, Seberry says. She believes that with better information system controls, there could be a substantial reduction in white-collar crime in general. "No one has addressed that enough," she says. "It's a question of money. When things are tough and getting leaner, security is the first thing to go out. It's like insurance: you can't see an immediate benefit." The flip side, though, is that when times improve, no one thinks to restore the spending, she warns, so a company which denudes itself of protection in lean times may remain vulnerable indefinitely. Peace of mind such as that from Auscert certainly has a price attached. A small company might expect to pay $950 a year for Auscert's services, while a large government department might face an annual bill closer to $6000. For that a company gets access to Auscert 24 hours-a-day, seven days-a-week as an emergency response team. It also gets advice and information about current security trends, which the organisation can use to augment its existing internal security code and tools.
Security Blanket
Ernst & Young's Dinnie recommends a series of steps which CIOs can and should take to ensure their information systems are as secure as possible. First, they should ensure that there is a formal security policy in place, and that there is training related to that policy directed at all levels in the organisation.
This, Dinnie claims, is particularly important in ensuring that top management support is garnered. Beyond that, there is the need for a comprehensive business continuity plan, and for that plan to be tested, so that in the event of a security breach, operations can continue in some form or another.
Important also is the CIO's responsibility to ensure that information security is properly funded, Dinnie says. However computer security in all its many guises -- as with most forms of security -- is only going to keep honest folk out. "People rely on hardware and software to save them. But to put in a firewall will not save you -- although it may deliver a false sense of security," Auscert's Eric Halil warns.
And in today's business world where companies butt right up against one another, connected via telecommunications, Halil says "there's no air gap between the businesses". Security professionals now maintain that a key part of the responsibility of running a sound information systems network is to have a strong security policy and a tested contingency plan -- which together may just leave a business enough air to survive.
Dead Cert
Robert Holman doesn't believe his company's information systems are under any threat from the competition. "The competition are no more a threat to our systems than we are to theirs -- and that is zero," says Holman, the group IT manager of construction giant Baulderstone Hornibrook. "If you want to know something, then you'd probably take them out for a beer." But while he doesn't believe the computer systems at Baulderstone Hornibrook are in any immediate danger from the beer-drinkers, the company takes information security seriously. Each year it brings in external security consultants to overhaul its computer security plan. And, once or twice a year, Holman hires a tiger team from outside the organisation, which attempts to hack into its systems -- the so-called "ethical attack" technique of ensuring computer security is sufficiently robust to withstand less ethical attacks. But if the competition isn't prowling around Baulderstone Hornibrook's systems, who might be? Just hackers "for the fun of it", Holman suggests. "I don't think we are vulnerable, but good security is one part of the [IT] jigsaw." And taking the right measures ensures that Holman has something concrete to point to when a board member asks him about the company's systems security. "We have always viewed security as fundamental to information technology," he says, adding that ever more advanced technology creates increasingly complex security problems.
Baulderstone Hornibrook already has Internet and intranet access, and is about to expand its use of the networks, bringing suppliers into an online ordering environment. But "it won't make us more vulnerable", Holman claims. "We'll just step up security in parallel with it." Besides having to keep its security strategy up to date and tested, the company is also mindful of keeping tabs on computer equipment and data which employees take on site. "Some of the key information held on laptops is encrypted," Holman says. The laptops' physical safety is another issue which has to be considered as part of the overall security strategy. "We've had a fair share of [building] sites broken into and the computers are nicked," Holman says, but he believes that in these cases it's the hardware rather than the encrypted information which is more highly prized. -- B HeadDamned If You Do; Damned If You Don'tWhen Australia signed the US-promoted Wassenaar Arrangement late last year, it ruffled feathers throughout the information security world. Originally intended to control the flow of military weapons, Wassenaar was extended to include software encryption tools -- effectively making illegal the export from the US of any encryption software with keys longer than 56 bits. Kimberley Heitman, chairman of Electronic Frontiers Australia, claims that this extends further the vulnerability to attack of Australian organisations' information systems.
Heitman, a Perth-based lawyer, claims that it is now possible to crack files encrypted using the DES algorithm in less than 100 hours. In fact, in January a US team cracked a DES-encrypted file which had a 56-bit key in less than 22 hours, reinforcing the point that current cryptography has significant limitations. Yet stronger cryptographic tools are ostensibly banned, following the signing of the Wassenaar agreement. "Obviously this encryption is not enough to stop thieves," Heitman warns.
Although Australia has yet to enact its own legislation which would ban so-called "strong crypto", Heitman claims that the signing of Wassenaar has placed Australian executives in an invidious position. Although Web sites exist from which Australians can download stronger encryption tools than those the US allows to be exported, in doing so someone would effectively break US law. Yet not to download stronger tools might expose a company to a charge of negligence. And for organisations which do business with the EU, where information privacy is high on the agenda, a perceived lack of information security might jeopardise the stream of European business.
As Heitman explains: "The CIO can download if he [or she] doesn't mind breaking US law. In fact, in order to discharge their corporate duty they may have to break the law." Heitman maintains that it has been well documented for at least five years that current generation encryption tools are insufficient to guarantee any serious level of protection. Should damage occur because of the use of such ineffective security tools, Heitman warns, "it would be quite straightforward to issue proceedings against a company for negligence".
Wollongong University Professor Jennifer Seberry has been working on the problem of encryption for some time. "We are at a point in the world where the current encryption is not good enough," she says. Last year Seberry and her team put in a paper to the US National Institute of Standards and Technology which is seeking an advanced encryption standard based on 128-bit keys. Export issues aside, the algorithm also had to be able to work successfully on a smart card, and swiftly enough to allow use over the Internet. "A final decision on which algorithm is chosen will be taken this April," Seberry says.
Whether Australian companies will ever benefit from this Australian research is yet to be seen. -- B Head
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.