Australian information systems hold substantial data that is of interest to a broad range of cyber actors. These actors may seek illicit access to information for financial reward or strategic advantage, they may intend harm to an organisation, individual or country, or may aim to embarrass whoever is responsible for keeping important information safe.
One of the major strengths of the Internet is that it facilitates access to information from anywhere at any time. But this is also an inherent weakness. Insecure storage and use of access credentials can increase the vulnerability of networks to remote access attacks. And broader confidence and trust in remote access can be undermined by high profile compromises of certificate authorities and security providers.
The cyber environment permits the rapid transfer of tools and techniques among different actors. While one tool or capability might initially be developed by a State or other sophisticated group, once it has been used in the general environment, it can be exploited by others – including through the use of sophisticated zero day exploits.
But while zero-day vulnerabilities are exploited in some specific attacks (Stuxnet and Duqu are examples), the majority of attacks take advantage of well-known, and previously patched vulnerabilities. Microsoft reports that less than 1 per cent of all attacks observed from January-June 2011 took advantage of zero day vulnerabilities. Many cyber attacks come straight through the ‘front door’, via well-crafted emails containing a malicious attachment or link to a malicious file.
The proliferation of mobile devices and applications poses additional challenges. The rush to connect new devices and use new applications must be matched by appropriate security measures to minimise threats from additional exposure of an organisation’s systems and data.
For example, the iPhone application for remote access to a control system human machine interface (HMI), allows remote access changes to be made to control systems. While the process for developing secure software is undoubtedly improving, it is far from mature. Organisations need to be aware of potential new vulnerabilities when deploying such technology, rather than simply deploying an “app” because it is available.
Frequently, cyber attackers target trusted websites to increase the impact of their work. By compromising reputable sites with malicious content, such as malware, attackers can also affect the computers of those who visit these sites (including gaining access or control).
Recent examples include drive-by downloads on the Herald Sun website and SBS Tour de France results pages. This method of attack circumvents standard security practices to “only visit trusted sites/links” and can undermine broader confidence in the security of the Internet.
More harm than good?
Breaches of cyber security can result in the exploitation and destruction of data and the disruption of business operations. The consequences of such compromises vary depending upon the nature of the intrusion and the role of the target business. Some security incidents may be catastrophic, as was the case for DigiNotar and Distribute.IT.
In other cases they may result in significant financial and opportunity cost, for example when two US Department of Energy (DOE)-related research laboratories were targeted in July 2011. The response to these intrusions included severing all DOE Internet connectivity for two weeks. A report released by DOE in October 2011 estimated that the cost of the intrusions exceeded $USD 2 million.
Other potential consequences of cyber incidents include loss of identity or financial information, trade secrets or business process knowledge, or the exposure of bargaining positions to competitors. Where cyber security incidents involve the compromise of systems used to control physical process, there is also the potential for these events to have kinetic consequences.
A cyber security partnership
The range and pervasive nature of cyber threats means that no single organisation can adequately recognise and counter them. Effective cyber security requires cooperation and collaboration between business and government.
By working together, Australian businesses and government can increase their respective and combined understanding and awareness of cyber security threats, better positioning both for prevention and incident response. As the national computer emergency response team, CERT Australia, within the Attorney-General’s Department, sits at the centre of government engagement with business on cyber security.
The Australian Government’s Cyber Security Strategy defines the most critical Australian businesses as Systems of National Interest; those which, if rendered unavailable or otherwise compromised, could cause significant harm to Australia’s economic prosperity, international competitiveness, public safety, social wellbeing or national defence and security.
CERT Australia’s engagement with business centres on those organisations that provide such services, and provides access to information not otherwise available, to support effective risk management.
CERT Australia also provides access to specific security training; such as the Idaho National Laboratories’ training in recognising and responding to cyber attacks on Supervisory Control and Data Acquisition (SCADA) systems. Where appropriate, CERT Australia can provide direct technical assistance in response to a cyber intrusion.
CERT Australia encourages all Australian businesses to use the list of the Top 35 strategies for mitigating targeted cyber intrusions released by the Australian Defence Signals Directorate. The top four recommendations are assessed to have mitigated over 80per cent of intrusions responded to by DSD.
CERT Australia can be contacted on its hotline (1300 172 499), or email firstname.lastname@example.org by Australian businesses in the event of a cyber security incident.