As e-business takes off around the world, anxiety about information security is spreading almost as fast as the computer viruses that keep invading our increasingly indispensable information systems. That anxiety was rightly fuelled by February's massive cyber attack that brought leading Web sites like eBay, Yahoo, CNN, Amazon.com and Buy.com to their knees and the resulting wave of denial-of-service attacks (DoS) against Australian Web sites. Downright paranoia set in early last month when the "Love Letter" Internet worm crawled out of Asia and spread around the world like wildfire. The Love Bug infected tens of millions of computers worldwide and inflicted global damages in excess of $US10 billion. Currently, a spate of Love Bug variants continue to wreak havoc almost daily.
Yet it seems too little of that concern is being translated into effective and positive action. The most serious and audacious wave of denial-of-service (DoS) attacks ever seen prompted a chorus of calls for Australian IT managers to rise above complacency.
Eric Halil for one, a senior security analyst with the Australian Computer Emergency Response Team (AusCert), condemned the security measures taken by many Australian organisations, describing them as "pretty average".
After all, Halil confirmed, the frenzy of cracking was hardly unexpected. The US Computer Emergency Response Team (CERT) had issued warnings months before about the ready availability of new tools capable of creating DoS attacks. It seems far too many organisations either remained oblivious to those warnings or chose to ignore them.
No Business Is an Island
Information security is fast hitting the top of the agenda for IT departments throughout the world. Issues to be grappled with range from e-commerce through remote access to corporate resources to links to trading partners and the continued integrity of information assets. But as the checklist of threats and vulnerabilities grows, many organisations struggling to cope with the myriad preventative measures demanded to achieve high levels of security are finding it's an issue that's just too big to tackle alone. Nor do companies serve themselves or the broader business or consumer community well by insisting on acting like islands of security.
Organisations that fall victim to a security attack are naturally reluctant to expose themselves to the bad publicity they fear would follow if they made it publicly known that their IS security measures had failed. Many companies, too, seeing IT as one major component of their competitive edge and fearing knowledge is the hacker's best weapon, are loath to give away any details of the security systems they do have in place. That fear encourages some companies to take every possible measure to conceal their problems - an attitude that must do more harm than good in the broader scheme of things.
The spate of DoS attacks should have served to provide at least one potent message to IS professionals everywhere - when it comes to e-business security, all the world's organisations need to increase their levels of cooperation, or perish. That's because organisations like CERT, set up to facilitate communication between affected parties, perform a vital role that can only be serviced when as many organisations as possible share their security problems with the rest of the IT world. They also do a pretty good job of protecting organisational privacy and confidentiality.
Each local arm of CERT is there to provide suggestions based on hard experience and to disseminate information to other parties who may be at risk. Organisations that won't share not only cut themselves off from an excellent source of help and advice, they deny others around the world a chance to act and react to the latest security threats.
Sites not registered with their local CERT may be missing out on important security-related information. With links to trusted counterparts around the world, each CERT works to provide up-to-the-minute information on vulnerabilities and potential attack methods. When asked, they can also complement the work of in-house security groups by providing a central repository of information, a source of expertise, and a channel of communication on security matters. The latter looks increasingly attractive as more and more organisations accept the need to get external help in order to achieve any true measure of their security risks.
External consultants can play a valuable role in helping to identify information assets and likely security threats and in assessing these threats on the basis of probability and risk. They can help determine the level of security and privacy required for individual system components, help to determine and implement corporate security policies, and even try to hack into organisational computer systems to determine their real level of vulnerability.
For instance, security consultants can check for vulnerabilities as broad as failed passwords, lax security guards, or even improperly latched windows - anything that might constitute a security lapse. They can try to steal hardware and infiltrate systems, on the grounds that even the most careful company is likely to overlook something. There's just too much to track, what with hackers, new technologies and an increasing number of telecommuters.
There are a range of organisations in Australia that can help with IT security. Some of the most important are listed below.
Computer Emergency Response Teams Whether you're actively under attack and in urgent need of help or just need a single, trusted point of contact or advice on dealing with computer security incidents and their prevention, you'd do well to start by contacting the appropriate international arm of the CERT Coordination Centre.
The original CERT was set up under the Survivable Systems Initiative at the US Software Engineering Institute, a federally funded research and development centre at Carnegie Mellon University. Now there are CERT teams in many countries around the world. So if you're under siege from another country, there may be a local CERT team you can contact. You'll find a list of global CERT teams on the Forum of Incident Security Response Teams (FIRST) Web site at www.first.org.
Back home there's the ever-reliable AusCert, a FIRST member with close ties to the CERT Coordination Centre, with other international Incident Response Teams (IRTs) and with the Australian Federal Police. Run out of the University of Queensland, AusCert was set up to help reduce the likelihood of successful attacks, to reduce the direct costs of security to organisations and to minimise the risk of damage caused by successful attacks.
Like other CERTs, AusCert provides incident response services. It publishes a quarterly summary to draw attention to the types of attacks reported, and to publicise information on other noteworthy incidents and vulnerabilities. It also provides training to incident-response professionals and researches the causes of security vulnerabilities, prevention of vulnerabilities, system security improvement, and the ability of large-scale networks to survive.
It serves as a centre of expertise on network and computer security matters, centralises reporting of security incidents, and facilitates communication to resolve security incidents. It also provides for the collation and dissemination of security information, including system vulnerabilities, defence strategies and mechanisms. It gives early warning of likely attacks, and acts as a repository of security-related information, tools and techniques.
Operating 24 hours a day, 365 days a year, the organisation responds quickly to emergencies to minimise damage. It facilitates communication between affected parties, gives suggestions based on experience, and disseminates information to other parties who may be at risk while protecting privacy and confidentiality as much as possible.
When resources permit it will undertake security audits for a fee, working with organisations to ensure they understand how they want to approach security and whether the techniques employed in the security systems will combat Internet-based attacks.
Internet: http://www.auscert.org.au/home.htmlE-mail: firstname.lastname@example.org monitored during business hours (GMT+10:00) Telephone: (07) 3365 4417 monitored during business hours (GMT+10:00) Hotline: (07) 3365 4417 monitored 24 hours, seven days for emergencies (GMT+10:00) Membership enquiries: 1800 648 458 Academia Several Australian universities offer consultancy services in security under their information security research initiatives. These include the Information Security Research Centre (ISRC) at Queensland University of Technology, which offers an extensive set of consultancy and contract research services in security to both private industry and government.
Telephone: (07) 3864 2846
Then there's the Australian Computer Abuse Research Bureau (ACarb), run out of the Department of Business Computing at the Royal Melbourne Institute of Technology. ACarb describes itself as an independent research centre formed by a group of professionals from industry, business, law enforcement and academic areas to explore ways in which computer abuse can be profiled and prevented.
ACarb was established to draw on the combined expertise of leading professionals in the areas of information technology, behavioural sciences and the law. The publisher of the Australian Computer Abuse Profile as well as research reports, working papers and audio-visual materials also surveys computer security trends in Australia, Hong Kong and Singapore. It runs graduate and undergraduate subjects in computer security; provides a wide range of resource materials; liaises with industry, government, defence, and law enforcement organisations; runs national and international computer security conferences, and provides consultancy services.
Internet: http://www.bf.rmit.edu.au/BisComp/acarb.htmlTelephone: (03) 9660 5800 (Lois McDonald)E-mail: Loism@bf.rmit.edu.au or email@example.comAnother research centre is the Centre for Computer Security Research run out of the School of Information Technology & Computer Science, University of Wollongong. This centre aims to provide:
* a reservoir of expertise in computer, information and communications security for Australia;* appropriate encryption algorithms and protocols for public use; and* a determination of the standard of security employed by computer centres operating in the public/private sector and gauge the extent of computer abuse.
It also offers an independent accreditation authority, identifies potential areas of risk for computer users, and assists corporations to develop computer security policy. And it trains computer scientists, lawyers, patent personnel and others in areas related to cryptology, financial networking, computer crime, risk assessment, disaster recovery and general corporate security needs.
The ISRC's active consultancy teams have already conducted numerous consultancy projects from national and international organisations, particularly in the finance, banking, gaming and telecommunications sectors. Projects include:
* Security audits
* Analysis of encryption algorithms
* Risk assessment of security systems
* Security policy
* Security in electronic commerce
* Security of financial and gaming systems * Smart card technology * Firewall analysis * Design and analysis of security architectures * Analysis of protocols * Access control * Network security issues (commerce) * Design and validation of secure operating systems * Implementation and development of cryptographic software * Management of cryptographic keys * Computer viruses.
Telephone: (07) 3864 2846
Consultancies Numbers of Australian consultancy organisations provide advice and assistance on security matters, and will perform security audits on request. Such organisations will typically put organisations and Web sites through detailed security reviews or threat analysis to test systems for vulnerabilities and weaknesses, and conduct penetration testing to measure the effectiveness of existing protection.
For instance PricewaterhouseCoopers says it uses the latest threat agent analysis to test systems for vulnerabilities and weaknesses. Testing is done from a secure environment, purpose-built for this type of work by specialised technical staff. Its security penetration service can also provide electronic evidence to the board of the effectiveness of security monitoring within a security device such as a firewall.
Defence Signals Directorate The Defence Signals Directorate is primarily concerned with providing material, advice and assistance to commonwealth government departments and authorities, and the Defence Force on matters relevant to the security and integrity of official information, the loss or compromise of which could adversely affect national security. However, private organisations should also be aware of the DSD's Evaluated Products List, produced to help in selecting products that will provide an appropriate level of information security.
The Information Security Group of DSD produces section VIII of the EPL, published twice a year, for the Australasian Information Security Evaluation Programme (AISEP). Products listed in this section have undergone rigorous scrutiny to ensure they work correctly and effectively to provide the stated level of assurance to meet an agreed security target.
It's also worth knowing that when DSD withdraws products from the EPL, it's because they are no longer considered to meet the assurance criteria for their claimed security features, and are therefore unable to fulfil their security objectives. DSD warns that users of products that have been withdrawn from the EPL should consider changing to other evaluated products to meet their security needs.
Internet: http://www.dsd.gov.au/infosec/Vendors and Other Security Companies Too numerous to list here, there are a host of Australian and multinational security companies with security products and services on offer. These have just been listed in an online directory designed to showcase the technologies of Australian security companies to the world.
The directory is the joint initiative of the federal government and Australian Electrical and Electronic Manufacturers' Association (AEEMA). It provides information on business applications and uses of authentication technologies as well as sourcing for products and services. It covers a range of technologies, including public and single key cryptography, digital signatures, PIN systems, user IDs, biometrics, credit cards and smart cards.
There's also information designed to help organisations to choose the most appropriate key certification and regulatory frameworks for their technology. In addition, there is an interactive step-through map to help users assess their needs, develop a checklist, and follow links to companies with appropriate solutions on offer.
AEEMA executive director David Epstein says the capability is aimed at anyone wanting to get into e-commerce and with a high need for security. "It gives companies a platform to sell their wares to the world. We hope that by adding an interactive element into it people who have been a bit afraid to use these solutions will find them a lot easier to come to grips with," he says.
Others Who Can Help
* When an attack gets serious, organisations should seriously consider contacting the Australian Federal Police, which has responsibility for handling corporate and electronic crimes, or their state police department.
* The System Administration, Networking and Security (SANS) Institute provides a lot of helpful information on security issues at http://www.sans.org. The Institute is a cooperative research and education organisation through which more than 96,000 system administrators, security professionals, and network administrators share the lessons they are learning and find solutions for challenges they face. Central to its work are the many security practitioners in government agencies, corporations, and universities around the world who invest hundreds of hours each year in research and teaching to help the entire SANS community.
* ICSA.net, at http://www.icsa.net/html/about_icsa/ is a world leader in security assurance services for Internet-connected companies. ICSA.net's services reduce risk and improve the quality of Internet security implementations, enabling the safe deployment of new Internet technologies and applications. ICSA.net supports both corporate-user and the vendor/supplier communities with critical industry data and analysis from ICSA Labs, the industry's leading product research and certification facility, and with the industry leading publication for security professionals, Information Security Magazine.
* SecurityFocus.com at http://www.securityfocus.com/ is designed to facilitate discussion on security-related topics, create security awareness, and to provide the Internet's largest and most comprehensive database of security knowledge and resources to the public.
* One of the backbones of SecurityFocus.com is the Bugtraq mailing list, one of the most read security mailing lists on the Internet. Located at http://www.ntbugtraq.com/, NTBugtraq is a mailing list for the discussion of security exploits and security bugs in Windows NT and its related applications.