Date: 24 May 2004
Further Information: Survey Results
Click here for printable version
An increase in attacks by electronic viruses and other computer crime cost Australian private and public sector an average of 20 per cent more than last year, according to a new security report to be released this month.
The 2004 Australian Computer Crime and Security Survey, which was launched at AusCERT2004, the Asia Pacific IT Security conference on 24 May, also reveals that more critical national information infrastructure (CNII), organisations reported experiencing harmful electronic attacks and the cost of attacks for these organisations was higher than compared to non-CNII organisations.
The survey of over 17 private industry sectors and all tiers of government found that the average annual losses for electronic attack, computer crime or computer access misuse or abuse had increased to $116,212 per organisation compared to 2003.
AusCERT, Australia’s national computer emergency response team, based at The University of Queensland, Brisbane, produced the survey in conjunction with Australia’s law enforcement agencies — the Australian Federal Police, the Australian High Tech Crime Centre and Australia’s Police Forces from Queensland, New South Wales, Victoria, Tasmania, Northern Territory, South Australia, and Western Australia.
The survey results provide valuable information to help police across Australia fight computer crime.
Other key findings of the survey were:
Other security management findings were:
- More organizations experienced electronic attacks that harmed the confidentiality, integrity or availability of network data or systems (49 percent in 2004 compared to 42 percent in 2003);
- Most of the attacks were sourced externally (88 percent) compared to internally (36 percent), but fewer organizations experienced external attacks compared to 2003 (91 percent);
- For the third consecutive year, infections from viruses, worms or trojans were the most common form of electronic attacks reported. They were the greatest cause of financial losses, accounting for 45 percent of the total losses for 2004, followed by laptop theft and abuse and misuse of computer network access or resources; and
- On average, losses reported by CNII organizations ($98,685) were almost double average losses for non-CNII organizations ($56,531).
While respondents to the survey said they had taken steps to improve their IT systems, fewer reported that they were managing all computer security issues reasonably well (five percent this year compared to 11 percent for both 2002 and 2003).
- The survey reported that efforts by organisations to protect their IT systems did not appear to be keeping pace with the changing nature of threats and vulnerabilities, particularly the increased number and severity of system vulnerabilities and the number and rapid propagation of Internet worms and viruses.
Graham Ingram, AusCERT general manager believes the survey demonstrates both positive and negative trends. “Although organisations are spending more money on computer security, training their staff and putting in place appropriate security policies, practices and procedures, the nature of the threat environment and inherent vulnerability of many of the systems being used is that organisations appear to be experiencing greater losses and more harmful attacks.
- The most common difficulties for organizations were changing user attitudes and behaviour (reported by 65 percent of respondents), and keeping up to date with information about the latest computer threats and vulnerabilities (61 percent);
- Unpatched or unprotected software vulnerabilities (reported by 60 percent of respondents) and inadequate staff training and education in security practices (49 percent) were the two most common factors contributing to harmful electronic attacks; and
- he need for greater understanding or support for IT security issues from senior management was important to 45 percent of respondents.
In many cases organisations recognise where they have gone wrong but improved security still appears to elude them. The problem of keeping up with the patch management regime is contributing to many of these attacks. Software developers must take greater care to ensure the software they release is more secure before it is released. Organisations simply cannot keep up with the rate at which vulnerabilities are now being discovered and disclosed and respond accordingly. It is unsustainable and placing organisations at greater risk,” he said.
“The survey shows that infections from viruses, worms and trojans is currently the most serious issue facing respondents – both in terms of the high number reporting financial loss and the high cost of these attacks. One disturbing aspect of this trend is the use of malicious code to surreptitiously steal e-commerce authentication information such as on-line banking passwords. AusCERT has seen the development and evolution of new trojans designed to specifically target e-commerce users for illicit financial gain.
“While there are technology solutions that can help protect customers, the pace at which fraudsters are developing this malicious code and distributing it using sophisticated spamming techniques, means that technology solutions will not always work all of the time. We are in effect in an ‘arms race’ to detect these new forms of attack and analyse how they work,” said Ingram.
“Police agencies will find the survey useful because it highlights vulnerabilities; goes some way of quantifying the victim base; and because it gives us an indication of what businesses think and how they respond to IT security incidents,” said Federal Agent Alastair MacGibbon, Director of the Australian High Tech Crime Centre. “If we can better understand those things, we can fashion a better law enforcement response,” he said.
Detective Inspector Bruce van der Graaf of the Computer Crime Team, New South Wales Police said, “This survey again shows that security is everyone’s issue. There is no excuse to be using computers with known vulnerabilities, even for home users. Law Enforcement has a significant deterrent role in protecting our National Infrastructure, and we encourage those involved to provide us with the information and support necessary to be an effective partnership.”
Queensland Police Service’s Detective Inspector Brian Hay of the Major Fraud Investigation Group said, “The Queensland Police Service is committed to the fight against computer crime and all associated activities that negatively impact upon community and corporate environments. The Survey emphasises the importance of industry and law enforcement entering into partnerships with a preparedness to transcend environmental and jurisdictional boundaries.”
John Schrader, head of the electronic crime section of South Australia Police said, “The survey findings provide a strategic focus in relation to current and emerging E-Crime trends and will assist in the maintenance of an effective state and national response to E-Crime.”
Detective Inspector Michael Grant, head of Tasmania Police Fraud Investigation Services commented on the volatile and transient nature of high tech crime. “Whilst we are basically dealing with traditional crime using new tools, we must respond to the fact that traditional crimes are also being committed by offenders using sophisticated information and communication technology,” the Detective Inspector said.
“Tasmania Police is continually enhancing its capacity to deal with this type of crime and we are mindful of the need for law enforcement to have accurate data with which to better understand the nature and extent of high tech crime. The 2004 Australian Computer Crime and Security Survey helps Australian law enforcement develop comprehensive and more sophisticated strategies for the prevention, investigation, detection and prosecution of this crime type,” said Detective Inspector Michael Grant.
Peter Wheeler, Detective Acting Inspector, Computer Crime Squad and Criminal Proceeds Squad, Victoria Police said the Australian Computer Crime and Security Survey engages the business community with law enforcement and fosters a cooperative partnership approach to emerging issues relating to computer crime and information technology security. “With greater understanding and cooperation, both sides can facilitate the development of initiatives to reduce the potential of businesses becoming victims, whilst at the same time enhancing the effectiveness of police investigations. Isolated efforts will only achieve minimal results,” he said.