Once the National Broadband Network (NBN) rolls out, the ability to take down companies -- who have yet to invest in network security and publish network services to the internet -- will become much easier, according to a security expert.
iWebGate managing director, Tim Gooch, told attendees at CeBIT this week that many financial planning and accountancy firms were not taking security seriously.
He explained that the company, which specialises in network security, had recently tested the defences of an accounting firm and reached its internal server within less than seven seconds.
"One may argue that the way we look at it is that if you are one of many firms that don't take network security seriously, then this is a serious problem," Gooch said.
"If we chose to, it would take us about four months to plan a sophisticated attack such as spear phishing.
"We know about 60 per cent of financial planning firms publish their network services to the internet so that would be our target market."
According to Gooch, the attack could run a significant attack vector in about 12 hours and cause "significant damage".
See photos and all the action from the event.
Turning to the NBN rollout, which Senator Stephen Conroy announced on Monday it had received additional funding, Gooch warned that hackers knew of the network's greater capability in delivering attacks and that the government had not addressed the security of nodes or endpoints.
"If more and more organisations join the NBN, our attack vectors move from 60 per cent of institutions to 90 per cent of companies," he said.
"Instead of taking 12 hours to run an attack vector, we could run it in under 20 minutes."
Gooch also said that companies needed to protect core principles such as assets.
"If we come to the nuts and bolts of a firewall, there is no network separation so the private network is in direct contact with other networks," he said.
"Firewalls are not secure because they allow data to travel in and out."
One system that could help with the separation of networks was a program similar to the US Department of Homeland Security's Control Systems Security Program.
According to its website, the CSSP coordinates activities to reduce the likelihood of success and severity of impact of a cyber attack against critical infrastructure control systems through risk mitigation activities.
Putting in place breach notification disclosure laws similar to those in the US and Germany could also help change companies attitude towards network security, Gooch said.
"They [disclosure laws] are within the public’s best interests because it is not in their interests to have their credit card information taken," he said.
"If a network is breached in the US or Germany, you must notify your customers.
"When we look at the NBN, it’s a wonderful opportunity but to get this right, we must have some core security principles and regulations in place."
Got a security tip-off? Contact Hamish Barwick at hamish_barwick at idg.com.au
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow Computerworld Australia on Twitter: @ComputerworldAU
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.