[2600-AU] 2002 Australian Computer Crime and Security Survey

[Grant Bayley]

> http://www.deloitte.com.au/downloads/computercrime_may02.pdf
>
> Key Findings
> Based on survey responses from a wide cross section
> of Australian organisations in respect of the past 12
> months, our key findings are as follows :
> ^Õ Consistent with global trends, the volume of
> computer crime and security incidents in Australia
> is growing rapidly. 67% of respondents suffered a
> computer security incident in 2002, twice the level
> of 1999 (and higher than the USA), and 35% of
> these experienced six or more incidents.

Organisations that were surveyed were not asked to rate the severity of
the incidents / attacks, so this figure is largely useless.  For example,
compare a random intrusion attempt by a computer compromised by Code Red
or Nimda with a targeted intrusion attempt by an experienced human
attacker.  For an organisation with little or no added-on security, a
Code Red / Nimda attack may be a serious problem and would be rated as
such.  For someone with a greater level of security and/or someone who
monitors trends in the area of computer security, it would likely be
rated as little more than an annoyance.

Were companies asked to rate themselves on their specific qualification to
rate incidents / attacks?

With these things in mind, the informational value of a figure that is
"growing rapidly" is probably "declining rapidly".

Just to give an example of where lack of experience can cause problems - I
had a report come through from Comindico the other day regarding "several
packets" that a user had reported to abuse@comindico.  The report was
partially written by his firewall software and partially written by
himself.  What his firewall saw were three inbound TCP packets with the
SYN flag set.  The destination ports were high.  Two were the same.  No
source port information was provided.  The guy was even nice enough to
put "PS: Do this again and I'll fuck your computer" at the bottom.  So I
looked back through my logs, and sure enough I found a couple of
downloads from this guy about the time he logged the three packets he
thought were suspect.  Turned out he was using active FTP (ftp server
connects to client-specified high port after PORT command and RETR or
LIST) and his firewall was blocking the connection attempts as he tried
to download things.  His client software eventually reverted to passive
FTP (ftp server opens a high numbered port and client connects to it
after PASV then RETR or LIST).  So he was accessing my server in a
perfectly legitimate way, lack of understanding of firewall output and
overactive imagination meant he thought I was doing something nasty to
him.  Smart software.  Dumb user.

Something that's funny to note here: "for the purposes of answering this
question, respondents were advised that a computer security indicent was
an attack against a computer or network either real or perceived."

The whole real VS perceived thing kind of undermines the statistic...

> ^Õ For the first time in Australia, the growing threat
> of external attack has now surpassed the threat of
> internal attack. 89% of Australian organisations
> suffering a computer security incident were
> attacked externally, while less than 65% were
> attacked internally.

Again, what sort of attacks are responsible for this apparently
significant shift in the source of attacks?  Real ones?  Or perceived
ones?

> ^Õ Although Australian organisations have invested
> heavily in security technologies, a significant level
> of computer crime and abuse continues to occur.

Cliched response:

Security technology is nothing without experienced people to use and
monitor it.

> ^Õ 98% of respondents experienced some form of
> broader computer crime or abuse. The areas of
> greatest financial impact were laptop theft, data or
> network sabotage, virus and trojan infection, and
> computer fraud.

Excluding laptop theft from the figure, I wonder how much
employee incompetence, employee error and failure to adhere to policy is
being ascribed to crime or intentional misuse?

For example, things like opening virus- and trojan-infected emails,
causing network downtime by unplugging the wrong things, accidentally
deleting entire pieces of work or databases are all the things that could
and would be ascribed to stupid users or stupid mistakes.

Again, it appears the informational value of this result is dependent on
the experience of the respondent in differentiating between errors and
intentional criminal activity, something they probably don't have a great
deal of experience with.  The managers obviously have experience in
putting dollar values on screw-ups, regardless of what caused them.

Interesting to see that "wiretapping" and "Telecom eavesdropping" make an
appearance here as causes for financial loss.

> ^Õ Other frequently experienced incidents of
> computer crime or abuse which proved more
> difficult to quantify included denial of service
> attacks, and excessive network resource
> consumption through external scanning.

No statistics on how much more denial of service there
was this year as compared to 1999?

This statistic is pretty subjectively tied to how experienced the
respondents are in recognising such problems.

Also interesting to note is how "external scanning" went from being
annoying to being criminal.  As has been discussed before, in the Senate
Legal and Constitutional Committee hearings for the Commonwealth
Cybercrime Bill, the following was entered:

2.72  The Attorney-General's Department advised that:

  Port scanning does not constitute access to data and most certainly does
  not consitute access to restricted data and is therefore unaffected by
  the proposed offences.

  Spamming would only be caught by the proposed offences if the purpose of
  the spamming were to bring a system down.

(http://www.aph.gov.au/senate/committee/legcon_ctte/cybercrimebill01/cybercrime_bill01.pdf, Page 34)

> ^Õ The number of organisations reporting security
> incidents to law enforcement authorities has more
> than doubled to 31%, but most attacks are still
> going unreported to law enforcement. Pessimism
> regarding the apprehension of attackers is the
> primary inhibitor to greater reporting.

It's probably worth noting that "doubled to 31%" is a pretty unscientific
figure to make a note of in a key finding.

As the survey itself notes, respondents in the 1999 survey which it's
being compared to were allowed to select one or more responses to this
question and were also offered three other options - "patched holes",
"ignored" or "other".

> ^Õ Australian organisations are four times more likely
> to respond to security incidents with criminal
> action rather than civil lawsuits, the reverse of the
> trend in the USA.

...

> ^Õ 43% of Australian organisations are willing to
> knowingly hire ex-hackers, three times more than
> in the USA.

There's a quote next to the graph in the survey that says "As a
hacker you can always change your career and start working for 'the good
guys'".  Was this quote from a respondent?

> ^Õ 60% of respondents recognised changing user
> attitudes as the most significant barrier to
> improved security. Other significant barriers
> included managing software upgrades and bug
> patches in a complex IT infrastructure, and
> keeping up to date with fast changing security
> threats.
> ^Õ 70% of Australian organisations have increased
> their expenditure on information security over the
> past 12 months in response to security concerns or
> incidents.

Sadly, given the results of the survey, it doesn't look like it's helped
very much.

Grant