Analysis: Symantec tars ISPs with bad security brush

Powered by SC Magazine
 

Is the communications sector as unprepared for attack as antivirus vendor claims?

The Australian communications industry is the least prepared business sector to bounce back from 'hacktivist' threats to its critical infrastructure, if security vendor Symantec's latest survey is to be believed.

By contrast, the energy sector is best prepared to rebuff such politically motivated attackers, the anti-virus and IT security company said.

The communications industry we cover at iTnews is serious about keeping its networks strong against threats such as distributed denial-of-service attacks.

For example, Bulletproof blocked offending IP addresses used in such an attack on broadband community website Whirlpool  "within 20 minutes".

Other recent examples point to attacks degrading performance on some links - but in most cases communications operators routed legitimate traffic on diverse routes while they blocked the source of the bad traffic.

Which left us puzzled. How did the "communications industry" fare so poorly in Symantec's report?

What is the communications industry?

Symantec commissioned Applied Research to call 1580 businesses (150 from Australia) in 15 countries.

The Symantec 2010 Critical Information Infrastructure Protection Survey [PDF] focused on six industry sectors. If researchers spoke to a similar number of businesses, that is 25 respondents a sector - communications industry included.

Symantec Australia could not break down for iTnews what constituted a member of the communications industry.

So we don't know if they were fixed-line telcos, backhaul infrastructure operators, mobile network virtual operators or wireless operators.

Symantec was also unable to tell iTnews how big the respondents were.

The results would be lopsided if, for example, Telstra, Optus and VHA weren't included from a mobile perspective. Or if AAPT/Powertel, Nextgen, PIPE Networks and Vocus Communications were excluded from a backhaul perspective.

The only breakdown of the communications industry, as defined by Symantec, that we could get was that it included "telcos, ISPs, radio and TV".

The inclusion of media companies in the mix is unconvincing. And the lack of transparency over which types or sizes of communications organisations make up the survey results mix is a concern.

It could be tier-one telcos just as easily as it could be under-resourced community radio stations and tier-three ISPs.

Is the energy sector that well prepared?

Keith Price, AISA
Keith Price, AISA
It's difficult to draw a conclusion that the communications industry is the least prepared of six industry sectors to defend against an attack, as researchers claim.

Australian Information Security Association national director Keith Price told iTnews he'd have expected banking and finance - not the energy industry - to be most prepared to repel an attack.

"I'm surprised by the order [of preparedness described in the Symantec report]," he said.

Price raised concerns about the relative difficulty of exploiting a communications network compared to sectors where Windows architectures are more prevalent.

"A lot of vulnerabilities are not as easily exploitable on a router or switch as they would be malware on a PC," he says.

"Even for bad guys, time is money. They're only going to spend so much time before they move on to an easier target."

Further questions of the energy sector's preparedness were raised in a report released last week by the Victorian Auditor-General - the same day that Symantec's survey was released.

The Auditor-General labelled the risk of unauthorised access to water and transport infrastructure control systems in the state of Victoria as "high".

The report found Victorian operators did not have "the physical and electronic controls to detect and prevent inappropriate access to their infrastructure control systems".

It also found operators "not fully aware of the weaknesses in, and risks to their infrastructure control systems, ...[and] not properly securing their infrastructure control systems".

"As a result, staff and external parties can inappropriately access and manipulate these systems," the report said.

Price said he was inclined to "believe the Auditor[-General] as opposed to Symantec".

"Because [the Symantec survey] is so broad and high-level and doesn't really get into details, I just have to take it as interesting reading," Price said.

Click through to the next page to find out what motivates hacktivists and cybercriminals.

Attack vectors

Respondents tho the Symantec report were asked their readiness to withstand politically inspired attacks.

They were characterised as attempts to:

  • Steal electronic information
  • Alter or destroy information
  • Shut down or degrade computer networks, and
  • Manipulate physical equipment through the control network

The choices for respondents were extremely unprepared, somewhat unprepared, neutral, somewhat prepared or extremely prepared.

"[About] 44 to 56 percent [of Australian businesses] responded in the 'somewhat to extremely effective' category. Call it half," Symantec Pacific managing director Craig Scroggie told iTnews.

Wasn't that good news? More than half of Australian businesses felt prepared to some level to respond to an attack and equal or greater numbers were reported in the global survey numbers.

Another 15 percent in the global survey were neutral about their prospects.

Less than 15 percent of respondents in all but one category of attack felt they were "unprepared", according to global statistics.

Put another way, that's 85 percent of respondents choosing an option that did not categorise them as "unprepared".

click to view full size image
Symantec global CIP results (courtesy: Symantec)

Those working in high-level IT security for critical infrastructure networks would have played down their preparedness because otherwise it would make them a neon-lit target for hackers.

It's hard to boast that you can protect against threats when you don't know what they look like.

Symantec highlighted that only 27 percent to 33 percent of Australian businesses felt "extremely prepared" to defend against politically motivated attacks.

"There's still a lot of room to improve," Scroggie said.

"Many are saying that while they feel somewhat prepared, do they have the confidence to say they can manage the problem? No, [because] they just don't know what these attacks will bring.

"What we've seen recently [with Stuxnet] is that an attack can go undetected for a long time. The challenge for organisations is how much information has been infiltrated? How long have they [hackers] been on the inside of the network?

"How much information was extricated to a government or political group?"

AISA's Keith Price highlighted the same statistic but for a different reason.

"I would love to talk to a security professional that says I'm really confident that my network is rock solid," he said.

And he questioned whether politically-motivated attackers are as concerned about stealing or altering electronic information as the survey suggests.

"I doubt politically motivated people care as much about the information as they do in taking the site down," Price said.

"For example, when the Prime Minister's website was taken down [by Anonymous in protest against ISP filter plans], the attackers didn't want to steal anything - all they wanted to do is to embarrass [the Government] publicly.

"Stealing information doesn't make sense to me. My guess is criminals are the bigger threat and are probably going to get in [to information systems] first rather than a couple of political activists because they're really smart, well-funded and highly organised."

The global Symantec report found that 53 percent of critical infrastructure providers were attacked an average of 10 times in the past five years at an average cost to them of US$850,000 ($864,000).

Symantec was unable to produce Australian figures or tell iTnews where local businesses ranked.

In the absence of information, it's a matter of what can be read into the results?

Industry preparedness is hard to call. So is whether telcos and ISPs are as vulnerable to defend against politically motivated attacks as Symantec says.

What do you think? Would telcos and ISPs have problems thwarting large-scale attacks or is this simply scaremongering?

 

Copyright © iTnews.com.au . All rights reserved.


Analysis: Symantec tars ISPs with bad security brush
 
 
 
Top Stories
Frugality as a service: the Amazon story
Behind the scenes, Amazon Web Services is one lean machine.
 
Negotiating with the cloud email megavendors
[Blog post] Lessons from Woolworths’ mammoth migration.
 
Qld govt to move up to 149k staff onto Office 365
Australia's largest deployment, outside of the universities.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...

Latest VideosSee all videos »

The great data centre opportunity on Australia's doorstep
The great data centre opportunity on Australia's doorstep
Scott Noteboom, CEO of LitBit speaking at The Australian Data Centre Strategy Summit 2014 in the Gold Coast, Queensland, Australia. http://bit.ly/1qpxVfV Scott Noteboom is a data centre engineer who led builds for Apple and Yahoo in the earliest days of the cloud, and who now eyes Asia as the next big opportunity. Read more: http://www.itnews.com.au/News/372482,how-do-we-serve-three-billion-new-internet-users.aspx#ixzz2yNLmMG5C
Interview: Karl Maftoum, CIO, ACMA
Interview: Karl Maftoum, CIO, ACMA
To COTS or not to COTS? iTnews asks Karl Maftoum, CIO of the ACMA, at the CIO Strategy Summit.
Susan Sly: What is the Role of the CIO?
Susan Sly: What is the Role of the CIO?
AEMO chief information officer Susan Sly calls for more collaboration among Australia's technology leaders at the CIO Strategy Summit.
Meet the 2014 Finance CIO of the Year
Meet the 2014 Finance CIO of the Year
Credit Union Australia's David Gee awarded Finance CIO of the Year at the iTnews Benchmark Awards.
Meet the 2014 Retail CIO of the Year
Meet the 2014 Retail CIO of the Year
Damon Rees named Retail CIO of the Year at the iTnews Benchmark Awards for his work at Woolworths.
Robyn Elliott named the 2014 Utilities CIO of the Year
Robyn Elliott named the 2014 Utilities CIO of the Year
Acting Foxtel CIO David Marks accepts an iTnews Benchmark Award on behalf of Robyn Elliott.
Meet the 2014 Industrial CIO of the Year
Meet the 2014 Industrial CIO of the Year
Sanjay Mehta named Industrial CIO of the Year at the iTnews Benchmark Awards for his work at ConocoPhillips.
Meet the 2014 Healthcare CIO of the Year
Meet the 2014 Healthcare CIO of the Year
Greg Wells named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at NSW Health.
Meet the 2014 Education CIO of the Year
Meet the 2014 Education CIO of the Year
William Confalonieri named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at Deakin University.
Meet the 2014 Government CIO of the Year
Meet the 2014 Government CIO of the Year
David Johnson named Government CIO of the Year at the iTnews Benchmark Awards for his work at the Queensland Police Service.
Q and A: Coalition Broadband Policy
Q and A: Coalition Broadband Policy
Malcolm Turnbull and Tony Abbott discuss the Coalition's broadband policy with the press.
AFP scalps hacker 'leader' inside Australia's IT ranks.
AFP scalps hacker 'leader' inside Australia's IT ranks.
The Australian Federal Police have arrested a Sydney-based IT security professional for hacking a government website.
NBN Petition Delivered To Turnbull's Office
NBN Petition Delivered To Turnbull's Office
UTS CIO: IT teams of the future
UTS CIO: IT teams of the future
UTS CIO Chrissy Burns talks data.
New UTS Building: the IT within
New UTS Building: the IT within
The IT behind tomorrow's universities.
iTnews' NBN Panel
iTnews' NBN Panel
Is your enterprise NBN-ready?
Introducing iTnews Labs
Introducing iTnews Labs
See a timelapse of the iTnews labs being unboxed, set up and switched on! iTnews will produce independent testing of the latest enterprise software to hit the market after installing a purpose-built test lab in Sydney. Watch the installation of two DL380p servers, two HP StoreVirtual 4330 storage arrays and two HP ProCurve 2920 switches.
The True Cost of BYOD
The True Cost of BYOD
iTnews' Brett Winterford gives attendees of the first 'Touch Tomorrow' event in Brisbane a brief look at his research into enterprise mobility. What are the use cases and how can they be quantified? What price should you expect to pay for securing mobile access to corporate applications? What's coming around the corner?
Ghost clouds
Ghost clouds
ACMA chair Chris Chapman says there is uncertainty over whether certain classes of cloud service providers are caught by regulations.
Was the Snowden leak inevitable?
Was the Snowden leak inevitable?
Privacy experts David Vaile (UNSW Cyberspace Law and Policy Centre) and Craig Scroggie (CEO, NextDC) claim they were not surprised by the Snowden leaks about the NSA's PRISM program.
Latest Comments
Polls
Which bank is most likely to suffer an RBS-style meltdown?





   |   View results
ANZ
  21%
 
Bankwest
  9%
 
CommBank
  11%
 
National Australia Bank
  17%
 
Suncorp
  24%
 
Westpac
  19%
TOTAL VOTES: 1423

Vote