zo

ne

25In

fosecu

rity Tod

ayJanuary/February 2006

Peter Ford put it neatly:“While theinitial driver of CIP (Critical

Infrastructure Protection) was count-er-terrorism,Australian government atall levels is now committed to an ‘all-hazards’ approach.”

Ford, in his capacity as deputy sec-retary in the Australian Attorney-General’s Office, wrote this in a noteto the OECD on Australia’s efforts tocreate a “culture of security”.

Protecting its citizens and nationalassets is a powerful motivator for thegovernment, but it takes legislation togalvanize the private sector.The latestglobal survey on information securityby audit firm Ernst & Young revealsthat compliance with regulations hasovertaken worms, viruses and otherthreats as the main reason for secur-ing the organization’s info.Australiaand New Zealand are no exceptions.

However, the common ground be-tween the public and private sectorsappears to be growing, at least in in-fosec.The Australian government’sstated priorities are national security,economic strength, and social stabili-ty. In pursuit of these goals it is nowimplementing the recommendationsof a 2002 business-government taskforce on critical infrastructure.

The lead vehicle is the CriticalInfrastructure Advisory Council(CIAC), which is chaired by theAttorney-General’s Department.TheCIAC includes representatives fromwater services, communications, thefood chain, banking and finance, ener-gy and health, as well as state govern-ments and federal agencies.They

exchange information using theTrusted Information Sharing Networkfor CIP (TISN), launched in April 2003.

The TISN operates under strict Termsof Reference and a Deed ofConfidentiality.A key component ofthe TISN is the A$8 million ComputerNetwork Vulnerability Assessment pro-gramme.This aims to identify vulnera-bilities in computer systems owned byfirms that provide critical infrastruc-ture. It also aims to identify interdepen-dencies where their data networks in-terconnect, and to test their defences.

AusCET reportsIn addition, the Australian governmentsigned an agreement with AusCERT, thelocal computer emergency responseteam, to set up and run a national ITsecurity incident reporting and alertscheme from May 2003.The unit, basedat the University of Queensland, pro-duces an annual report detailing thenumber and quantity of infosec inci-dents in the past year.

AusCERT works closely with theAustralian Hi-Tech Crime Centre, thefederal police’s main offensive weaponagainst e-crimes and link with otheragencies such as Interpol, the FBI, andthe UK’s Hi-Tech Crime Unit.

The government has also passed leg-islation such as the Cybercrime Act2001.This brought Australian legislationinto line with the Council of Europe’sCybercrime Convention and fixedsome holes in the existing legislation.This Act deals mainly with offencessuch as hacking, virus propagation anddenial of service attacks. However, theSecurity Legislation Amendment

(Terrorism) Act 2002 deals specificallywith cyber-terrorism acts that threaten,disrupt or destroy any electronic sys-tem, including information andtelecommunications networks.

Given that evidence of a cyber-crime can vanish instantly, in August2003 the Attorney-General issued aguideline of best practices for collect-ing and preserving digital evidencethat will stand up in court.

However, the latest AusCERT reportsuggests that although demand formore and better trained infosec staffis high, skills in digital forensics are a“nice to have” rather than essential.E&Y partner Bruce Young says half ofAustralian firms have no user trainingin security procedures, and fewerthan one in three train staff in whatto do in an attack.

Forensics gap

Kathryn Kerr,AusCERT’s analysis andassessments manager, points out that

9/11 and the Bali bombs almost a year later were a security wake-upcall to many Western governments, perhaps none more so thanAustralia and New Zealand. These events now overshadow the develop-ment of infosecurity in civil society Down Under.

Terror outragesdrive infosecDown Under

Ian Grantian.grant@innovations.eu.com

AusCERT’s Kathryn Kerr: companiesshy of prosecuting

zo

ne

26In

fosecu

rity Tod

ayJanuary/February 2006

two of three respondents (mainlymedium to large enterprises) have in-cident management procedures whileonly 13% have a forensic plan.“Thissuggests that they are more interestedin planning to recover (from an at-tack), first and foremost, than to pros-ecute or investigate,” she says.

This will change if victims becomemore interested in going to court.According to AusCERT figures, morethan 80% of attacks came from out-side Australia, so it is hard to prose-cute villains. But a steady 37% of re-sponding organizations reported at-tacks by insiders, so there is some lo-cal motivation.

However, the pain level is moder-ate. Some two in three respondentsreported a financial loss due to elec-tronic attack and physical crime,and nearly one in three reported aloss due to criminal insider activity.The total reported loss was A$19million (A$16 million in 2004), butdenial of service attacks accountedfor just over half that. One reportedDDoS loss was for A$8 million, butthe average was around A$70,000.

Indeed the measures already adopt-ed appear to work. Only 35% of re-spondents reported attacks thatharmed the confidentiality, integrity oravailability of their network data or

systems.This was down from 49% in2004 and 42% in 2003.And only 10%of respondents who were hit believeillicit financial gain was the motive.

AusCERT’s Kerr says the level of at-tacks is probably as high as ever; justfewer are successful.“I would suggestthe decline is more due to improve-ments in (respondents’) protectivepositions,” she says.

Two-thirds of companies now useinfosec standards such as ISO/IEC17799, up from 37% in 2003. Even so,only 7% of firms felt they are on topof the threats. Inadequate staff train-ing in computer security manage-ment and poor organizational securi-ty culture are the main vulnerabili-ties, they said.And 61% added chang-ing users’ attitudes is a “challenge”.

Organized crimeThey may get some help from an un-expected source: organized crime.AusCERT says it has seen “a growingnumber of attacks” by crime gangs inthe past two years.“We see both ad-vanced and moderate skill levels be-ing used, mistakes being made andcorrected, and believe therefore thereis a degree of organization behind theattacks,” says Kerr.

New Zealand's Digital StrategySecurity issues

Action Lead Time Budget (NZ$)National Computer Security Education Campaign. Internet Safety Group 2005 Public & private fundingInformation for home users and small businesses on the basics of computer security. (With govt & business organizations.)

Support for Internet Safety Group. Ministry of Education Ongoing 1 millionISG initiatives include: Hector's World, courses on cybersafety provided with technocatz and delivered countrywide, NetSafe website, training ,modules in schools, and toll-free national helpline (0580 NETSAFE)

Anti-Spam Bill. Legislation to govern unsolicited Ministry of Economic Development 2005 N/Acommunication.

Crimes Amendments Bill (No 2). To criminalise Ministry of Justice 2005 N/Acommunications with a person under 16 for sexual offences.

E-Crime Strategy. E-Crimes includes new crimes such New Zealand Police Under development Baselineas cyber threats and hacking as well as drug trafficking, smuggling, money laundering, the distribution of covertly filmed images, and the use of the Internet for the sale of objectionable material

Government Internet Gateway. The government is State Services Commission TBA TBAconsidering a network that will include a central Internet gateway for use by government agencies to improve security

Environmental impact and Efficient Use of Resources. Ministry for the Environment Ongoing BaselineInitiatives to encourage the greater use of ICT to support the outcomes of the government's sustainable development strategies; and initiatives to reduce the environmental impact of ICT. (with NZTE, Dept of Labour, Min of Education, energy Efficiency and Conservation Authority, and Local Government New Zealand.

Source: The Digital Strategy - New Zealand Government. 2005

Security technologies used

Technology (%) 2005 2004 2003Anti-virus software 99 100 98Digital IDs, certificates 54 46 34Virtual Private Networks 84 74Encrypted log-in/sessions 55 58 48Encrypted files 48 47 39IDS 59 53 45Firewalls 98 95 95File integrity assessment tools 24 25 18Biometrics 4 5 5Smart cards, one-time tokens 38 33 18Reusable passwords 60 53 59Access control 97 95 93Other 8 5 3Source: Australian Computer Crime and Security Survey 2005.

zo

ne

28In

fosecu

rity Tod

ayJanuary/February 2006

Most of these attacks are fromabroad.The most common are onlinetheft of identity data, rent or sale ofbotnets, and DDoS attacks. Phishing isrife, but ID theft Trojans accounted fora fifth of the 700 ID theft incidents thatAusCERT tackled last year.This was up1200% on the previous 13 months.

ID theft worries AusCERT most,mainly because it is directed at indi-viduals, most of whom are naïve orlazy about infosec.“It has the poten-tial to have the widest direct impacton organizations, whole industrysectors and potentially could affectconfidence in the information econ-omy if current trends continue,” itsays.

Infosecurity measures in NewZealand largely parallel those inAustralia. For example, the NewZealand government’s information se-curity manual is an adaptation ofAustralia’s Electronic SecurityInstruction No 33, and documentedstandards for infosec managementand risk management are held incommon (AS/NZS 17799 and AS/NZS4360 respectively).

New Zealand’s Digital StrategyHowever, there are differences. NewZealand has adopted a NZ$400 million,five year plan called the DigitalStrategy.This aims to return the coun-try to the upper half of the OECDmembers for economic performance,

and the top quarter for broadband up-take by 2010.

IT and Communications MinisterDavid Cunliffe says the plan will deliver connection (instantaneous,affordable and ubiquitous), content(diverse, high quality and valuable toKiwis), and confidence (to use it toenrich Kiwi lives).

The government published theDigital Strategy in May 2005.Twokey targets were to kick off a nation-al computer security campaignaimed at home users and small busi-nesses and to pass anti-spam legisla-tion in 2006. Cunliffe introduced ananti-spam bill in December 2005.Thebill aims to restrict marketing emailsto “opted-in” recipients. If passed, it

provides for penalties of up toNZ$500,000 for organizations andNZ$200,000 for individuals.

Other recent legislative changes in-clude an update to the Crimes Act1961 to outlaw eavesdropping andhacking on all communications formats. But the TelecommunicationsInterception Capability Act 2004 re-quires network operators to ensurethe government can intercept mes-sages on their networks.

Despite the progress NewZealand’s telecommunications users’association (TUANZ) is unhappy. Itpoints out that 15 years after privati-zation,Telecom still dominates net-work markets. In a briefing note toCunliffe last November,TUANZ chair-man Graeme Osborne called for thegovernment to explore splittingTelecom into wholesale and retailunits, and to abandon the govern-ment-owned Kiwi share.This is, hesaid, an “anachronistic tool of thevoice age that creates perverse out-comes”.These are chiefly that priceincreases are negotiated by govern-ment and Telecom behind closeddoors for services that have becomecheaper elsewhere, and slow roll-outof services and access.

Following a meeting with the min-ister, Osborne warned that TUANZwould “publicly denounce” such“back room” deals as it believes “theyundermine the role of the Telecom-munications Commissioner, the work-ing of the Telecommunications Actand ultimately innovative competi-tors, and users suffer”.

Computer security policies and procedures used

Policy (%) 2005 2004 2003

Decommissioning equipment procedures 65 40 31System audit policy 71 58 51Business continuity management 73 58 52Cryptographic controls procedures 25 16 11Clock synchronisation policy 59 43 37Monitoring system access and use procedures 72 68 66External network access control policies 83 79 75User responsibilities policies 82 78 75User access management 97 94 95Management of removable computer media 52 50 49Media backup procedures 96 95 94Controls against malicious software 75 72 62Segregation of duties policy 61 41 45Forensic plan 13 6 7Incident management procedures 67 64 51Change control procedures 82 75 66Documented standard operating procedures 80 83 79Other 4 1 4Source: Australian Computer Crime and Security Survey 2005.

New Zealand’s IT and Communications Minister, David Cunliffe

Meanwhile, Spike Quinn of OtagoPolytechnic surveyed New Zealand ITmanagers about infosec forensics. Hereports that one in four organizationshave no formal infosec policy. Ofthose that have one, only one-fifth re-quire their staff to stay current withtheir contents.

Less than one-third have any foren-sic capability, and just 8% had an in-ternal capability, he found.As a result,half of the 15 organizations who hadgone to court had had their comput-er-based evidence prepared by un-trained staff.

Quinn is currently finalising a sur-vey of computer crime in NewZealand. He expects to report full results in February/March.

New Zealand’s Serious Fraud Officeis well aware of the problems associat-ed with collecting solid evidence ofcomputer-based crimes and misde-meanours.“The Office must also main-tain the ability to obtain evidence fromcomputers in a way that allows that ev-idence to be used in Court,” it said in aministerial briefing in November 2005.

Arguing for more relaxed laws togovern legal privilege it said “It is

impossible to effectively search acomputer without running the riskof seeing privileged material.Overseas, several jurisdictions haveset aside legal professional privilegewhen dealing with the proceeds ofcrime.”

Whether the SFO gets its way re-mains to be seen. But given the inten-sity of attention on infosec issues bythe antipodean governments, it seemsthis story will run and run.•About the authorIan Grant is a freelance writer onbusiness issues.

zo

ne

29In

fosecu

rity Tod

ayJanuary/February 2006

Suspected motives for attacks that harmed the confidentiality, integrity or availability of network data or systems in thepast 12 monthsMotive (%) 2005 2004 2003Indiscriminate i.e. attack found and exploited a vulnerability randomly 35 42 51To use system resources to conduct further attacks anonymously 25 35 26To show off attacker skills 30 37 40Unsolicited malicious damage 51 52 34Personal grievance 12 9 14Foreign government political advantage 0 0 0Other political interests (hacktivism) 3 3 9Competitor commercial advantage e.g. industrial espionage/sabotage 4 1 4To use system resources for personal use 19 30 41Illicit financial gain 10 8 18Unknown 29 16 18

Source: Australian Computer Crime and Security Survey 2005.