Symantec: Security reporting chain is broken

Mechanisms used by companies for detecting potential attacks against their systems and reporting the evidence to the authorities have some serious flaws, according to security experts.

Speaking at the 2007 Parliament and the Internet Conference in Westminster on Thursday, Symantec's European director of security practice, William Beer, said that, while many companies have invested in security products, they are often not maximising the potential benefits by following best practice.

"There's not enough being done to take advantage of investments in security software," Beer told ZDNet.co.uk. "You might have IPS [intrusion prevention systems] in a DMZ [demilitarised zone] or managed network, but are you looking at the logs? It's an administrative problem."

Most security systems log records of attempted intrusions or probes, but, if this information is not regularly checked, then companies are only seeing half the picture as far as their corporate security is concerned.

Beer said that, while he has spoken to some Symantec customers who scrutinise log data once a week or once a month, this is often not enough.

"How do you know the [security] system is operating correctly for your environment?" Beer said.

Despite Symantec's concerns, Cambridge University computer security expert Richard Clayton said a more pressing concern for businesses was making sure patches were managed correctly, and that users were educated about security issues.

"Top of the list [in security admin]: apply patches, since malware like MPack [a PHP-based malware kit] attacks in eight different ways," said Clayton. "With virus checkers, frankly most of the stuff out there [on the web] antivirus vendors like Symantec won't pick up at the point you see it. Businesses still use virus checkers and get screwed over — there's a new attack and employees are clicking on links because they've not been told not to."

However, even when companies do check computer logs and find something suspicious, there is a lack of police contacts to report any suspicious findings to, according to one telecommunications technical director. "We don't have anyone to report log data to in this country," said Alex Nikolov, technical director for VoIP company Sipera. "Where do you pass that data?"

The police have been aware of difficulties in reporting anomalous log data and other evidence of e-crime since the National Hi-Tech Crime Unit (NHTCU), which dealt with cybercrime reports, was subsumed into the Serious Organised Crime Agency (SOCA).

Superintendent Charlie McMurdie, of the Metropolitan Police Specialist Crime Directorate, said the police had been working to provide officers responding to e-crime with a "raised level of ability and awareness to record", but said that the investigative response to deal with cybercrime needed still needed co-ordination.

"We [police and businesses] need to work in partnership to provide a co-ordinated response," said McMurdie. "If we don't provide a suitable law-enforcement response [to level 1 and 2 crime], it won't be long before criminals take advantage in the UK, because nobody is going after them."

Level 3, or serious crime, is investigated by SOCA. However, police have admitted difficulties investigating level 1 and 2 computer crime due to a lack of a centralised reporting and co-ordination unit, and a lack of resources, while big business has criticised SOCA's lack of openness.