[ISN] Aust computer crime impact down, says survey

[InfoSec News]

http://www.zdnet.com.au/news/security/0,2000061744,39193086,00.htm

By Munir Kotadia
ZDNet Australia 
23 May 2005 

The impact of computer crime and security incidents on organisations
has decreased over the past year, but the fight against malware and
hackers is far from over, according to the Australian Computer Crime
and Security Survey 2005.

Only 35 percent of the 540 organisations which responded to the survey
this year said the confidentiality, integrity or availability of their
networks had been affected by an electronic attack, down from 49
percent of respondents in 2004 and 42 percent in 2003.

Kevin Zuccato, director of the Australian High Tech Crime Centre
(AHTCC ), told ZDNet Australia the survey -- released today --
revealed that although the overall number of attacks had risen,
companies had improved their network defences.

"The Internet is generally a more dangerous place to be, but people
that put the effort in and put defences in place have screened the bad
activity from impacting on their enterprises. These are incidents that
have got through and not necessarily representative of the incidents
that might be occurring outside. Big business are getting the message
-- they are harder targets than they were a year or two ago," said
Zuccato.

Graham Ingram, general manager of AusCERT, said more organisations
seemed to be getting the basics right, but they still paid a high
price when the defences fail.

"Knowing there are easy things to do -- such as block a certain port
-- has helped. A lot of the high impact stuff has been filtered out.  
However if [the malware] gets in, it is pretty nasty because the
payloads are becoming more aggressive," said Ingram.

Neil Campbell, a former law enforcement officer who is now the
national security manager of IT services company Dimension Data, said
he was not surprised that companies are being affected less by attacks
as they now had years of experience of being under fire.

"Between 2001 and 2003 was the period of the worm and virus -- we
really saw some massive infections and that had a huge impact. It
increased the level of awareness and preparedness," said Campbell, who
also praised Microsoft for strengthening Windows security: "There was
a massive effort by Microsoft in particular who increased the security
of its operating system. An increased focus on perimeter, desktop and
layered security has led to this improvement."

Infection by viruses, worms and Trojans was the most common form of
attack reported by respondents, with 64 percent of respondents
suffering. However, this figure had fallen from 88 percent in 2004 and
80 percent in 2003.

Denial of service (DoS) attacks -- where an organisations' Web site or
server is inundated with requests to a point where it slows to a crawl
or is knocked offline – were the most costly. Fourteen percent of
respondents reported experiencing such attacks which resulted in
financial losses -- with the losses themselves accounting for more
than half (53 percent) of total losses experienced by survey
respondents. The survey did say, however, that figure was skewed by
one organisation which reported losses of AU$8 million as a result of
DoS attacks.

The AHTCC's Zuccato said botnets of compromised or zombie personal
computers were increasingly being used to extort money from online
businesses.

"Botnets are being used to do distributed DoS attacks. Extortion is
one of the concern that is no longer on the horizon -- it is with us
now. In the UK, extortion with threats to undertake DDoS attacks are
part of the course -- the online bookmakers are being hit," said
Zuccato.

Only seven percent of survey respondents thought they were managing
their security issues 'reasonably well'. This has increased compared
to last year (five percent) but fallen from 11 percent in 2003 – the
same year as the Blaster and Slammer attacks.

Dimension Data's Campbell said the phase of high profile malware
attacks was a 'call to action' and led to significant improvements in
overall security.

"IT security is no different to physical security in that over time,
in the absence of incidents, security tends to ease up or if it was
never there it does not tend to be put in place. In previous years
there have been some fantastic weapons developed by the bad guys and
now the good guys have developed some great countermeasures," said
Campbell.

Apart from improvements in technology, the 'call to action' has also
increased the number of companies adopting formal security standards.  
According to the survey, 65 percent of organisations now follow or use
established standards such as the AS 7799, Specification for
Information Security Management System and the ISO 17799:2001, Code of
Practice for Information Security Management. This compares with 58
percent last year and 37 percent in 2003.

AusCERT's Ingram said adherence to security standards has had a
positive impact on the corporate world.

"It is hard to reliably talk about cause and effect, but there is a
positive indicator that with better adherence to computer security
policies, practices and technologies, you are going to make an impact
in reducing the level of exposure to incidences," said Ingram.

According to Dimension Data's Campbell, overall security has improved
but he expects malware writers and hackers to continue innovating and
finding new ways to compromise security.

"We have seen organisations spur themselves and move to improve
security but you have to accept that security in any domain is
generally an arms race. You certainly cannot say we have hit the worst
of it and now it will all improve from here," he added.