The issue of security has gained widespread attention in recent years, but despite the warnings, Australian organisations are still failing to adequately secure their mission critical systems from the risk of external attack.
According to the country’s leading information security specialist, recent trends in software development are increasing business exposure to having their valuable data hacked and stolen, or losing control of their servers.
Professor Bill Caelli is concerned that many organisations believe their Web- and PC-based transactional systems to be secure, when nothing could be further from the truth.
“I attended a demonstration at the 12th New Zealand Security Summit conference last month where a system penetration specialist revealed five different ways to take control of a supposedly secure web server system.
The whole thing took less than 20 minutes. The audience was gob-smacked at how easy it was to penetrate, and even take control of, commonly used web servers that they had believed to be completely secure,” he said.
“This is a frighteningly unsafe development. We’re asking people to conduct vital transactions and access important functions through commodity level web browsers, operating on commodity level PCs, which have proven to be insecure and offer no real information assurance controls at all.”
Professor Caelli is an Emeritus Professor of the Queensland University of Technology (QUT) and co-leads the cyber law and policy research group in QUT’s Information Security Institute. He also chairs the Federal Government’s “Futures” Expert Advisory Group (EAG) within the Critical Infrastructure Advisory Council, sits on the “IT Security” EAG and serves on the advisory board to the Australian Information Security Advisory Program. He is a Senior Consultant in Information Assurance with International Information Security Consultants Pty Ltd (IISEC).
A regular speaker at information security events and meetings around the world, Professor Caelli remembers how cost constraints and a desire for a simpler development experience led to some vendors abandoning early security standards back in the 1980s.
“Some of the early technology was very well thought through from a security perspective. For example, Digital Equipment Corporation’s VAX machine that became popular in the late 1970s and early 1980s ran the VMS operating system of which there was a secure version. Secure VMS brought mandatory access control concepts into real business, enabling companies to enforce corporate policy and business rules,” he said.
However at the same time, PC manufacturers were taking a more discretionary approach to security. In 1983, the US Government published the Orange Book, which discussed the importance of trusted systems and sought to encourage manufacturers to take steps to increase the security of their commercial systems. Unfortunately, it came out just as the PC revolution started to gather momentum.
“Even through Intel’s original 286 chip incorporated extensive security capabilities, these functions were essentially turned off. People wanted quick ways to develop software and saw the complexity of security as an inconvenience and deterrent.
“Secure systems are more expensive to develop, so security is often sacrificed in the name of economic rationalism,” he said.
Caelli is encouraged by recent changes in the United States, where legislators are becoming more concerned about IT-related issues.
“There’s always been a distinct reluctance by the US administration regulate the IT industry in any way, which I suspect is primarily because neither the legislators nor the public servants on whom they depend know anything about computers.
“But we’re starting to think that the tide is turning with Congress moving towards democratic controls,”
He also cited recent comments by former White House anti-terrorist advisor, Richard Clarke, who claimed that the US had developed a national IT infrastructure with no attention to security issues.
“The fact that he would come out and say that worries the living hell out of me,” he admitted.
He believes legislation is needed to enforce a more security-conscious approach, proposing a model similar to the Motor Vehicle Standards Act 1988. This law recognises that governments have a role in protecting society and makes it a requirement for manufacturers to comply with mandatory standards, although it allows the industry itself to determine the details.
The Australian Computer Society also advocates professionalism as an ideal form of risk mitigation as well as being fundamental to a systemic increase in trustworthy people, processes and systems, as distinct from merely trusted people, processes and systems.
Philip Argy, Management Committee President at the Australian ComputerSociety
Australia failing on e-security
By Staff Writers on Jul 12, 2007 1:42PM