Aust computer crime impact down, says survey

The impact of computer crime and security incidents on organisations has decreased over the past year, but the fight against malware and hackers is far from over, according to the Australian Computer Crime and Security Survey 2005.Only 35 percent of the 540 organisations which responded to the survey this year said the confidentiality, integrity or availability of their networks had been affected by an electronic attack, down from 49 percent of respondents in 2004 and 42 percent in 2003.

The impact of computer crime and security incidents on organisations has decreased over the past year, but the fight against malware and hackers is far from over, according to the Australian Computer Crime and Security Survey 2005.

Only 35 percent of the 540 organisations which responded to the survey this year said the confidentiality, integrity or availability of their networks had been affected by an electronic attack, down from 49 percent of respondents in 2004 and 42 percent in 2003.

Kevin Zuccato, director of the Australian High Tech Crime Centre (AHTCC ), told ZDNet Australia  the survey -- released today -- revealed that although the overall number of attacks had risen, companies had improved their network defences.

"The Internet is generally a more dangerous place to be, but people that put the effort in and put defences in place have screened the bad activity from impacting on their enterprises. These are incidents that have got through and not necessarily representative of the incidents that might be occurring outside. Big business are getting the message -- they are harder targets than they were a year or two ago," said Zuccato.

Graham Ingram, general manager of AusCERT, said more organisations seemed to be getting the basics right, but they still paid a high price when the defences fail.

"Knowing there are easy things to do -- such as block a certain port -- has helped. A lot of the high impact stuff has been filtered out. However if [the malware] gets in, it is pretty nasty because the payloads are becoming more aggressive," said Ingram.

Neil Campbell, a former law enforcement officer who is now the national security manager of IT services company Dimension Data, said he was not surprised that companies are being affected less by attacks as they now had years of experience of being under fire.

"Between 2001 and 2003 was the period of the worm and virus -- we really saw some massive infections and that had a huge impact. It increased the level of awareness and preparedness," said Campbell, who also praised Microsoft for strengthening Windows security: "There was a massive effort by Microsoft in particular who increased the security of its operating system. An increased focus on perimeter, desktop and layered security has led to this improvement."

Infection by viruses, worms and Trojans was the most common form of attack reported by respondents, with 64 percent of respondents suffering. However, this figure had fallen from 88 percent in 2004 and 80 percent in 2003.

Denial of service (DoS) attacks -- where an organisations' Web site or server is inundated with requests to a point where it slows to a crawl or is knocked offline - were the most costly. Fourteen percent of respondents reported experiencing such attacks which resulted in financial losses -- with the losses themselves accounting for more than half (53 percent) of total losses experienced by survey respondents. The survey did say, however, that figure was skewed by one organisation which reported losses of AU$8 million as a result of DoS attacks.

The AHTCC's Zuccato said botnets of compromised or zombie personal computers were increasingly being used to extort money from online businesses.

"Botnets are being used to do distributed DoS attacks. Extortion is one of the concern that is no longer on the horizon -- it is with us now. In the UK, extortion with threats to undertake DDoS attacks are part of the course -- the online bookmakers are being hit," said Zuccato.

Only seven percent of survey respondents thought they were managing their security issues 'reasonably well'. This has increased compared to last year (five percent) but fallen from 11 percent in 2003 - the same year as the Blaster and Slammer attacks.

Dimension Data's Campbell said the phase of high profile malware attacks was a 'call to action' and led to significant improvements in overall security.

"IT security is no different to physical security in that over time, in the absence of incidents, security tends to ease up or if it was never there it does not tend to be put in place. In previous years there have been some fantastic weapons developed by the bad guys and now the good guys have developed some great countermeasures," said Campbell.

Apart from improvements in technology, the 'call to action' has also increased the number of companies adopting formal security standards. According to the survey, 65 percent of organisations now follow or use established standards such as the AS 7799, Specification for Information Security Management System and the ISO 17799:2001, Code of Practice for Information Security Management. This compares with 58 percent last year and 37 percent in 2003.

AusCERT's Ingram said adherence to security standards has had a positive impact on the corporate world.

"It is hard to reliably talk about cause and effect, but there is a positive indicator that with better adherence to computer security policies, practices and technologies, you are going to make an impact in reducing the level of exposure to incidences," said Ingram.

According to Dimension Data's Campbell, overall security has improved but he expects malware writers and hackers to continue innovating and finding new ways to compromise security.

"We have seen organisations spur themselves and move to improve security but you have to accept that security in any domain is generally an arms race. You certainly cannot say we have hit the worst of it and now it will all improve from here," he added.