Analysis: Symantec tars ISPs with bad security brush

The Australian communications industry is the least prepared business sector to bounce back from 'hacktivist' threats to its critical infrastructure, if security vendor Symantec's latest survey is to be believed.

By contrast, the energy sector is best prepared to rebuff such politically motivated attackers, the anti-virus and IT security company said.

The communications industry we cover at iTnews is serious about keeping its networks strong against threats such as distributed denial-of-service attacks.

For example, Bulletproof blocked offending IP addresses used in such an attack on broadband community website Whirlpool  "within 20 minutes".

Other recent examples point to attacks degrading performance on some links - but in most cases communications operators routed legitimate traffic on diverse routes while they blocked the source of the bad traffic.

Which left us puzzled. How did the "communications industry" fare so poorly in Symantec's report?

What is the communications industry?

Symantec commissioned Applied Research to call 1580 businesses (150 from Australia) in 15 countries.

The Symantec 2010 Critical Information Infrastructure Protection Survey [PDF] focused on six industry sectors. If researchers spoke to a similar number of businesses, that is 25 respondents a sector - communications industry included.

Symantec Australia could not break down for iTnews what constituted a member of the communications industry.

So we don't know if they were fixed-line telcos, backhaul infrastructure operators, mobile network virtual operators or wireless operators.

Symantec was also unable to tell iTnews how big the respondents were.

The results would be lopsided if, for example, Telstra, Optus and VHA weren't included from a mobile perspective. Or if AAPT/Powertel, Nextgen, PIPE Networks and Vocus Communications were excluded from a backhaul perspective.

The only breakdown of the communications industry, as defined by Symantec, that we could get was that it included "telcos, ISPs, radio and TV".

The inclusion of media companies in the mix is unconvincing. And the lack of transparency over which types or sizes of communications organisations make up the survey results mix is a concern.

It could be tier-one telcos just as easily as it could be under-resourced community radio stations and tier-three ISPs.

Is the energy sector that well prepared?

Keith Price, AISA

Australian Information Security Association national director Keith Price told iTnews he'd have expected banking and finance - not the energy industry - to be most prepared to repel an attack.

"I'm surprised by the order [of preparedness described in the Symantec report]," he said.

Price raised concerns about the relative difficulty of exploiting a communications network compared to sectors where Windows architectures are more prevalent.

"A lot of vulnerabilities are not as easily exploitable on a router or switch as they would be malware on a PC," he says.

"Even for bad guys, time is money. They're only going to spend so much time before they move on to an easier target."

Further questions of the energy sector's preparedness were raised in a report released last week by the Victorian Auditor-General - the same day that Symantec's survey was released.

The Auditor-General labelled the risk of unauthorised access to water and transport infrastructure control systems in the state of Victoria as "high".

The report found Victorian operators did not have "the physical and electronic controls to detect and prevent inappropriate access to their infrastructure control systems".

It also found operators "not fully aware of the weaknesses in, and risks to their infrastructure control systems, ...[and] not properly securing their infrastructure control systems".

"As a result, staff and external parties can inappropriately access and manipulate these systems," the report said.

Price said he was inclined to "believe the Auditor[-General] as opposed to Symantec".

"Because [the Symantec survey] is so broad and high-level and doesn't really get into details, I just have to take it as interesting reading," Price said.

Click through to the next page to find out what motivates hacktivists and cybercriminals.