[ISN] Australia's top enterprises hit by laymen hackers in less than 24 hours

From: InfoSec News (alerts@private)
Date: Tue Oct 09 2007 - 22:06:04 PDT


http://www.computerworld.com.au/index.php/id;1057000875;fp;16;fpid;1

By Darren Pauli 
10/10/2007

A penetration test of 200 of Australia's largest enterprises has found 
severe network security flaws in 79 percent of those surveyed.

The tests, undertaken by University of Technology Sydney (UTS), saw 25 
non-IT students breach security infrastructure and gain root or 
administration level access within the networks of Australia's largest 
companies, using hacking tools freely available on the Internet.

The students - predominately law practitioners - were given 24 hours to 
breach security infrastructure on each site and were able to access 
customer financial details, including confidential insurance 
information, on multiple occasions.

High-level business executives from the companies surveyed, rather than 
IT staff, were informed of the tests so the "day-to-day network 
security" of businesses could be tested.

Faculty of Law lecturer and LogicaCMG chief security officer, Ajoy 
Ghosh, who commissioned the test said students were able to breach 24 
enterprises or 12 percent in less than an hour, in fact most systems 
were foiled in the first few minutes.

"More than half of those that passed the penetration test had freeware 
Intrusion Detection Systems (IDS), notably Snort; we only had two 
responses from security teams even though sites were down for more than 
an hour," Ghosh said.

"Organizations that couldn't be penetrated typically had Web servers 
were on hardened operating systems and many had done code reviews on Web 
pages and installed apps."

Ghosh pointed out that one in three intrusions occur on networks already 
protected by certified gateways, even those certified by government 
common criteria."

Most of the 21 percent of companies who passed the penetration tests 
owed their success to freeware Intrusion Detection Systems (IDSs), 
according to Ghosh.

"Over half of those that passed the test had freeware IDSs and already 
had or were implementing an Information Security Management System 
(ISMS)," he said.

"This proves that it's not costly to implement an IDS."

An equal distribution of Microsoft, Apache and Domino servers were used 
by the successful 21 percent.

High Tech Crime Centre federal agent Nigel Phair said it is "almost 
impossible" to collect accurate data on online security breaches because 
of the secrecy of the private sector.

"It is easier to sweep intrusions under the carpet and bring in a 
consultant to mop it up [than] to go to the Police," Phair said.

"People stand close to ATMs so they don't expose their passwords, but 
they do not apply real-world sensibilities in online environments.

"Users buy computers with antivirus as [OEM], but don't bother renewing 
updates and think they are still protected."

He said awareness of cybercrime has suffered from a lack of holistic 
security surveys, such as the recently-scrapped , which Phair said has 
"left a hole" in the industry.


__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Tue Oct 09 2007 - 22:29:10 PDT