Cyber security the facts

Transcription

1 Cyber security the facts By Dr Carolyn Patteson, Executive Manager, CERT Australia The cyber threat is real and ever present and every business is at risk. Australia s security and intelligence agencies have stated publicly that we are experiencing increasingly sophisticated attacks on networks and systems in both government and business. The cyber threat comes from a range of sources, including individuals, issue-motivated groups, organised criminal syndicates, and the intelligence services of some foreign governments. The motives for cyber incidents include corporate attack, illicit financial gain, political and protest issues, personal grievance (a disgruntled employee or customer), and issue motivated hactivists. A cyber attack can be very disruptive, having a huge financial impact on a business and also harming its professional reputation. As the national computer emergency response team, CERT Australia in the Australian Attorney-General s Department, is the single point of contact for cyber security issues affecting major Australian businesses. In 2012, there were close to 7,300 incidents reported to CERT Australia. By mid-august this year, around 8,500 incidents had already been reported. Many of these are categorised as less severe, such as scans of firewalls or websites. However, at the higher end, there are both broad-based and targeted attacks. For example, there have been an increasing number of businesses under pressure from distributed denial-of-service (DDoS) attacks, where the instigator demands payment to stop the attack or cease fire. This method of extortion is not new but it is becoming more frequent. This is due to the ease with which people can access attack tools and services from online criminal groups. It is also due to the growing reliance of companies on their customer facing web services, now an essential part of business.

2 Another common method of attack is to target senior executives, often through their direct support staff. This generally involves a well-crafted message one that is topical without any tell-tale mistakes. It is the links and attached files in the s that are the first point of entry into a target network. This is particularly effective in businesses where cyber vigilance is not part of the culture and where busy executives and their assistants are barraged by a large number of s every day. These businesses are targeted for their intellectual property or financial information. They may also be targeted as a way to compromise a third party, who has a trust relationship with the business and is the ultimate target. By using this form of attack, the perpetrator leverages the relationship between businesses, as an embedded with malware is less likely to be treated as suspicious from a trusted party. Trends in cyber security One of the challenges that CERT Australia faces is gaining a better understanding of the impact of malicious online activity and how well businesses are placed to respond. While there are an increasing number of cyber crime and security incidents, the true extent of these threats is difficult to determine. To help understand what is happening on this front, the inaugural CERT Australia Cyber Crime and Security Survey was conducted in The survey report provides a picture of the cyber security measures businesses had in place, the recent cyber incidents they had experienced, and their reporting of them. The findings indicated a shift in cyber attacks away from being indiscriminate and random to more coordinated and targeted, often for financial gain. They also revealed the theft of mobile devices to be a major concern, with many organisations lacking security policies and plans for protecting these physical assets. As the cyber picture is constantly changing, CERT Australia is conducting annual national surveys to look for trends over time. The 2013 Cyber Crime and Security Survey has recently been conducted. It aims to build on the baseline findings from 2012, and seek a more comprehensive understanding of how cyber incidents are affecting the businesses that partner with CERT Australia. 2 P a g e

3 The findings from the 2013 survey will be released later this year. Importantly, they will provide a better picture and understanding of the impact of cyber incidents, which will assist CERT Australia in providing the best possible cyber security support and advice to Australian businesses. Cyber security mitigations So what are the top cyber security mitigations? Firstly, businesses need to be prepared before an incident occurs. It is important for each business to know how its network is organised, the value of its information, and how it is protected. Cyber security needs to be part of risk management and resilience structures and planning, and staff need to be trained to use good cyber security practices as part of their daily work. As general guidance, CERT Australia recommends: using strong passwords or passphrases patching applications and operating systems, and limiting the number of users with administrative privileges. More specifically, CERT Australia publishes information on prevention and detection techniques. Routinely, the information it provides businesses is sensitive in nature and not available via public sources. Where appropriate, CERT Australia also works with businesses to make sure the duration and severity of an attack is reduced, and that businesses adopt measures to reduce the risk of an attack recurring. That is why CERT Australia encourages major Australian businesses to partner with it before an incident occurs. Prevention is much better than cure when critical business systems are at stake. By having this relationship in place, information can be shared efficiently and effectively to help with prevention, and if necessary, mitigation. Businesses are also encouraged to report cyber security incidents to CERT Australia. This information helps protect the affected business, and provide a better understanding of the broader threat environment. All information provided to CERT Australia is held in the strictest confidence. 3 P a g e

4 Cyber security partnerships Effective cyber security also requires a partnership approach. No single organisation can tackle this threat alone. By working together, business and government will be better positioned for prevention and response. CERT Australia works closely and shares information with its national and international colleagues. This means it is very well connected and informed, making it best placed to help Australian businesses manage cyber threats. At the national level, CERT Australia works in the Cyber Security Operations Centre, sharing information and working closely with the Australian Security Intelligence Organisation (ASIO), the Australian Federal Police (AFP) and the Australian Signals Directorate (ASD). CERT Australia also has a direct working relationship with government and business computer emergency response teams around the world, through the Forum for Incident Response and Security Teams (FIRST). In addition, CERT Australia has a direct operational relationship with regional countries through the Asia Pacific computer emergency response team (APCERT), which comprises 30 teams across 20 economies. CERT Australia was also honoured to host the 10 th Annual APCERT Conference in March As the following case study shows, national and international teamwork is essential to providing businesses with timely information on emerging threats, and advice on mitigation. Case study Distributed denial-of-service (DDoS) attacks are one of the most serious threats to businesses with an online presence. Historically, these attacks had non-financial motivations, aiming to bring attention to certain events or protest specific issues. The more recent trend is for DDoS to be used for extortion. CERT Australia received reports from a range of Australian financial companies that were being targeted by extortion-based DDoS attacks. They had been called and threatened with an attack against their website, unless they made a payment. This type of attack can cause serious problems. It can not only disrupt the company s online activities via its website, it can also stop clients from doing business with them online. 4 P a g e

5 The attackers chose their targets carefully. They combed victim websites for pages that would generate the most processing in order to increase the likelihood of successfully taking down the site. Some websites were brought down by the attack others had the infrastructure to withstand it. CERT Australia located the target list for the attacks and contacted the listed businesses. As the attacks were of a criminal nature, CERT Australia also provided all relevant information to the AFP s High Tech Crime Operations for investigation. The sites which had the ability to mitigate the attack were not targeted for long. As the attacks were financially motivated, the attacker was quick to move on to other potential victims. However, if the business communicated with the attacker, the site appeared on the target list for longer periods of time. CERT Australia was able to identify the international source of the attacks from a sample of the DDoS traffic provided by one of the businesses. CERT Australia then notified its international counterpart, asking for assistance in having the control hub taken down. The international CERT responded quickly and the host was shut down. However, as is normally the case with such incidents, the control hub then moved to another internet address and recommenced attacks. CERT Australia again contacted overseas counterparts to issue further take down requests. CERT Australia also continued to follow up with affected businesses, providing options and advice on mitigation techniques for possible future attacks. The businesses that were most effective in mitigating the attacks had well-established and tested response procedures in place for dealing with DDoS. CERT Australia CERT Australia is a trusted source of information and advice on cyber security issues. It is not a regulator, its services are free and it does not compete with commercial services in the market. To report a cyber security incident please call the CERT Australia hotline For more information on CERT Australia and the Cyber Crime and Security Survey Reports please refer to info@cert.gov.au or phone Hotline info@cert.gov.au 5 P a g e