Article

Whilst in many professions people are only too happy to talk at length to colleagues in other organizations about what they are up to, security is a bit different – for obvious reasons.  Most people whose job involves information security are understandably coy about spreading details of what their organization is doing.  At the same time, people are naturally curious about what their counterparts in similar profile organizations are actually doing.

That’s probably why, whenever Safecoms people are out working on client sites, we get a lot of questions during lunch breaks about what kinds of security initiatives other clients that we work with are engaged in.  Of course, we cannot and do not name names – but we can give an overall indication of what’s going on in other organizations, and our clients certainly find this interesting.  So this month we thought we’d share this information with our newsletter readers by giving an overview of the initiatives that our clients have engaged us to help with over the last 12 months.

Trends of 2005

At the outset I guess we should state the obvious, namely that this article is not intended to be a definitive survey of what is happening across the Australian information security sector (there are plenty of other publications that purport to do that): instead, this is anecdotal feedback based on real projects that Safecoms has been asked to undertake with approximately 50 Australian organizations over the last 12 months.

Whilst the set of clients that have engaged us is quite diverse (ranging from very large financial services institutions through to medium size manufacturers, with a good number of state, federal and local government bodies thrown in as well), it is interesting to note that despite this wide range of organizational profiles, the “hot buttons” that we have been asked to address are remarkably consistent across the whole group.

Those hot buttons are:

• Internal penetration tests
• Web application penetration tests
• Developing new Policy, Standards and Procedure sets
• Internal information security awareness programs
• Implementing two factor authentication

Let’s take a rapid look at each of these to discuss what our clients have been looking to achieve by engaging in these activities.

Internal Penetration Tests

This has certainly been a major growth area over the last 12 months, and our experience suggests that this is becoming a major focus area for a large number of Australian companies, particularly those with a relatively mature security profile.

What appears to be driving this activity is that many organizations now feel that they have achieved a reasonable level of security with their perimeter, and are now focusing on tightening the security of the “soft underbelly” of their internal network.  At the same time, organizations are becoming aware that an increasing number of security incidents are occurring entirely inside the perimeter (either by rogue users or external hackers who have either managed to obtain a user’s log on credentials through social engineering, and/or have managed to gain access via a remote access link).  Faced with this realization, it therefore becomes increasingly important to determine the level of risk associated with potential compromises of the internal network.

Note: any reader interested in a more detailed look at internal penetration testing will find the following article of interest http://www.safecoms.com.au/resources/newsletters/november2005/internal/

Web Application Penetration Tests

The last 12 months have also – from our experience – seen a sharp increase in the number of web application penetration tests being conducted.  In part, this is due to the obvious reason that more and more organizations are using online applications for transactions with their customers and business partners – and naturally, these need to be thoroughly tested for robustness against fraud, identity theft and denial of service attacks before being deployed in a live environment.

However, even with more mature transactional web applications that have been running live for some time, there has recently been a significantly increased emphasis on testing these against hackers.  Whereas historically many organizations (to the extent they engaged in regular penetration testing at all) tended to focus more on testing the ability of the core infrastructure to withstand attack, there is now an increased awareness that web applications are far more likely to have serious exposures than the core infrastructure. In particular, we have seen a major increase in cross site scripting vulnerabilities as more and more transactional web applications go live.  This in turn puts pressure on organizations to ensure that these are eradicated, otherwise their customers could be compromised and the organization’s reputation could be seriously damaged.

Organizations are therefore working out that they will often get a significantly greater “security dividend” from a web application test than from an external test of the core infrastructure.

Developing New Policy, Standards and Procedure Sets

To be honest, the resurrection of this as a major area of interest over the last 12 months has come as something of a surprise to us at Safecoms.  Two or three years ago a lot of organizations were developing and implementing information security policies, standards and procedures, and we thought this activity was on the decline on the basis that most organizations had now got a policy set well and truly bedded down inside their organizations.  We were wrong!

What actually seems to have happened is that whilst a number of organizations did put in place reasonably comprehensive policy sets a few years ago, a lot did not.  Now with the increasing focus on policies and procedures by auditors and regulators, there is no longer any hiding place, particularly for any ASX listed organization, APRA regulated or public body – those who have been putting it off for a long time now have to bite the bullet.

What we have also found is that many of the organizations that did do something in this area some time back are now finding that what they did simply is not working, has fallen into disuse, or was only a partial fix.  Given the importance of being able to demonstrate that a sound set of workable policies and procedures are in use across the organization, many are now re-visiting this issue to get it right “second time round”.

Internal Information Security Awareness Programs

At the beginning of 2005 everyone (including Safecoms) was predicting that this would be a hot button in 2005 – and we were right.  Organizations were starting to realize that the old cliché “security is only as strong as the weakest link” remains true – and that in many organizations users are the weakest link in the security chain due to lack of education and awareness.

As companies have invested in securing their infrastructure against attack, hackers have increasingly turned to social engineering as a means of penetrating organizations’ security.  Naivety or carelessness amongst ordinary users have resulted in many well publicized incidents where hackers have gained user name and password details enabling them to gain full access as an authenticated user.

In addition to the threats posed by social engineering, users can inadvertently undermine the most rigorous security regimes by unthinking behaviour or ignorance.  For instance, leaving laptops lying around unattended, carrying confidential information on USB keys that are easy to lose, tinkering with their own computers (e.g. disabling anti virus software “because it slows the computer down”) – the examples are many and various.

Education and awareness are the keys to addressing these issues, and our experience has been that organizations are now starting to give this issue the high level of attention it deserves by organizing information security briefing sessions for all staff, special briefings for senior management, or using educational tools such as the Safecoms training video (http://www.safecoms.com.au/solutions/awareness/sample/)

Implementing Two Factor Authentication

As remote access to systems becomes more and more the norm (both for standard users and also remote system administration by technical staff), a lot of organizations that Safecoms works with are now implementing two factor authentication to varying degrees.

The primary motivation for this is that organizations acknowledge the relative ease with which a user’s log on credentials (user name and password) can fall into the wrong hands.  Clearly, if an unauthorized person was to obtain the log on credentials of a member of the IT department who had remote system administration rights the consequences could be catastrophic.  Two factor authentication for privileged access is seen as a relatively easy way of reducing this risk.

In our experience, organizations have mixed views as to whether to introduce two factor authentication for “standard” users who have remote access rights.  Some acknowledge that the potential fall out from an unauthorized malicious person gaining standard access rights could still be very serious indeed – e.g. an attacker who gains access to a standard user account and uses this to send abusive email to all the organization’s customers (particularly if you then have to explain it away to irate customers in terms of “it wasn’t really from us, it was from a hacker who broke into our network…!”).  However, others do not see this as a particularly significant risk (or at least they view it as an acceptable risk), or regard the hassle factor of getting non technical users to use two factor authentication as just “too hard”.

Either way, whether it’s confined to privileged access accounts or extended to all users with remote access, two factor authentication has hit the agenda of many of our clients over the last 12 months.

And So To 2006...

So what will emerge this year as the hottest buttons in the information security space?  In broad terms, we believe that the issues that preoccupied our clients in 2005 will carry on into 2006 – particularly the introduction of two factor authentication and information security awareness programs for users.  Three other topics to keep a keen look out for in 2006:

• Developments in “Identity Management” – particularly as the “Identity 2.0” movement gathers momentum and organizations (mainly those based on a B2C business model) grapple with the paradox of protecting their online customers against fraud, without making authentication too hard for the average user
• Data hostaging.  To a lot of people this sounds very exotic and farfetched.  However, crime investigation agencies are reporting a major increase in this area, as organized crime increasingly focuses on soft targets (mid size / lower profile organizations) rather than the harder targets at the top end of the financial services sector.
• CLERP9.  There has been a lot of talk that this will emerge as Australia’s equivalent to the USA Sarbanes Oxley (“SOX”) legislation.  SOX caused virtually all publicly listed companies in North America to embark on a massive ramp up of their information security regime, and billions of dollars were spent as organizations struggled to achieve compliance.  So far, CLERP9 has had nothing like the same impact in Australia – indeed, a lot of people have never even heard of it.  Watch this space!

We hope you have found this article interesting and informative.  If you would like to find out more about how Safecoms could assist your organization with any of these types of activities, please contact us at any time – we are always delighted to hear from you!

Nick Gifford
Managing Director