Analysis: Symantec tars ISPs with bad security brush

The Australian communications industry is the least prepared business sector to bounce back from 'hacktivist' threats to its critical infrastructure, if security vendor Symantec's latest survey is to be believed.

By contrast, the energy sector is best prepared to rebuff such politically motivated attackers, the anti-virus and IT security company said.

The communications industry we cover at iTnews is serious about keeping its networks strong against threats such as distributed denial-of-service attacks.

For example, Bulletproof blocked offending IP addresses used in such an attack on broadband community website Whirlpool  "within 20 minutes".

Other recent examples point to attacks degrading performance on some links - but in most cases communications operators routed legitimate traffic on diverse routes while they blocked the source of the bad traffic.

Which left us puzzled. How did the "communications industry" fare so poorly in Symantec's report?

What is the communications industry?

Symantec commissioned Applied Research to call 1580 businesses (150 from Australia) in 15 countries.

The Symantec 2010 Critical Information Infrastructure Protection Survey [PDF] focused on six industry sectors. If researchers spoke to a similar number of businesses, that is 25 respondents a sector - communications industry included.

Symantec Australia could not break down for iTnews what constituted a member of the communications industry.

So we don't know if they were fixed-line telcos, backhaul infrastructure operators, mobile network virtual operators or wireless operators.

Symantec was also unable to tell iTnews how big the respondents were.

The results would be lopsided if, for example, Telstra, Optus and VHA weren't included from a mobile perspective. Or if AAPT/Powertel, Nextgen, PIPE Networks and Vocus Communications were excluded from a backhaul perspective.

The only breakdown of the communications industry, as defined by Symantec, that we could get was that it included "telcos, ISPs, radio and TV".

The inclusion of media companies in the mix is unconvincing. And the lack of transparency over which types or sizes of communications organisations make up the survey results mix is a concern.

It could be tier-one telcos just as easily as it could be under-resourced community radio stations and tier-three ISPs.

Is the energy sector that well prepared?

Keith Price, AISA

Australian Information Security Association national director Keith Price told iTnews he'd have expected banking and finance - not the energy industry - to be most prepared to repel an attack.

"I'm surprised by the order [of preparedness described in the Symantec report]," he said.

Price raised concerns about the relative difficulty of exploiting a communications network compared to sectors where Windows architectures are more prevalent.

"A lot of vulnerabilities are not as easily exploitable on a router or switch as they would be malware on a PC," he says.

"Even for bad guys, time is money. They're only going to spend so much time before they move on to an easier target."

Further questions of the energy sector's preparedness were raised in a report released last week by the Victorian Auditor-General - the same day that Symantec's survey was released.

The Auditor-General labelled the risk of unauthorised access to water and transport infrastructure control systems in the state of Victoria as "high".

The report found Victorian operators did not have "the physical and electronic controls to detect and prevent inappropriate access to their infrastructure control systems".

It also found operators "not fully aware of the weaknesses in, and risks to their infrastructure control systems, ...[and] not properly securing their infrastructure control systems".

"As a result, staff and external parties can inappropriately access and manipulate these systems," the report said.

Price said he was inclined to "believe the Auditor[-General] as opposed to Symantec".

"Because [the Symantec survey] is so broad and high-level and doesn't really get into details, I just have to take it as interesting reading," Price said.

Click through to the next page to find out what motivates hacktivists and cybercriminals.

Attack vectors

Respondents tho the Symantec report were asked their readiness to withstand politically inspired attacks.

They were characterised as attempts to:

• Steal electronic information
• Alter or destroy information
• Shut down or degrade computer networks, and
• Manipulate physical equipment through the control network

The choices for respondents were extremely unprepared, somewhat unprepared, neutral, somewhat prepared or extremely prepared.

"[About] 44 to 56 percent [of Australian businesses] responded in the 'somewhat to extremely effective' category. Call it half," Symantec Pacific managing director Craig Scroggie told iTnews.

Wasn't that good news? More than half of Australian businesses felt prepared to some level to respond to an attack and equal or greater numbers were reported in the global survey numbers.

Another 15 percent in the global survey were neutral about their prospects.

Less than 15 percent of respondents in all but one category of attack felt they were "unprepared", according to global statistics.

Put another way, that's 85 percent of respondents choosing an option that did not categorise them as "unprepared".

Symantec global CIP results (courtesy: Symantec)

Those working in high-level IT security for critical infrastructure networks would have played down their preparedness because otherwise it would make them a neon-lit target for hackers.

It's hard to boast that you can protect against threats when you don't know what they look like.

Symantec highlighted that only 27 percent to 33 percent of Australian businesses felt "extremely prepared" to defend against politically motivated attacks.

"There's still a lot of room to improve," Scroggie said.

"Many are saying that while they feel somewhat prepared, do they have the confidence to say they can manage the problem? No, [because] they just don't know what these attacks will bring.

"What we've seen recently [with Stuxnet] is that an attack can go undetected for a long time. The challenge for organisations is how much information has been infiltrated? How long have they [hackers] been on the inside of the network?

"How much information was extricated to a government or political group?"

AISA's Keith Price highlighted the same statistic but for a different reason.

"I would love to talk to a security professional that says I'm really confident that my network is rock solid," he said.

And he questioned whether politically-motivated attackers are as concerned about stealing or altering electronic information as the survey suggests.

"I doubt politically motivated people care as much about the information as they do in taking the site down," Price said.

"For example, when the Prime Minister's website was taken down [by Anonymous in protest against ISP filter plans], the attackers didn't want to steal anything - all they wanted to do is to embarrass [the Government] publicly.

"Stealing information doesn't make sense to me. My guess is criminals are the bigger threat and are probably going to get in [to information systems] first rather than a couple of political activists because they're really smart, well-funded and highly organised."

The global Symantec report found that 53 percent of critical infrastructure providers were attacked an average of 10 times in the past five years at an average cost to them of US$850,000 ($864,000).

Symantec was unable to produce Australian figures or tell iTnews where local businesses ranked.

In the absence of information, it's a matter of what can be read into the results?

Industry preparedness is hard to call. So is whether telcos and ISPs are as vulnerable to defend against politically motivated attacks as Symantec says.

What do you think? Would telcos and ISPs have problems thwarting large-scale attacks or is this simply scaremongering?