Australian Federal Police agent, Nigel Phair, said most Australian organisations sweep security breaches under the carpet to avoid public scrutiny in the courts.
"A lot of this is kept under the radar," Phair said at a Logica CMG conference in Sydney yesterday. "A lot of organisations don't report security breaches to police. For some organisations, it's easier to sweep under the carpet ... and move on."
The problem with reporting security breaches, according to Phair, is that taking the matter to police means the facts and the company name are dragged through the courts -- an outcome most organisations prefer to avoid.
While sweeping security problems under the carpet may protect an organisation's image, the lack of reporting offers Australian organisations a false sense of security.
"For whatever reason, Australian organisations aren't as concerned or aware that their information could be used for bad things. For some countries that are more exposed to [security threats] -- such as the UK where a bomb has gone off -- it's a bit more in their minds," said Ajoy Ghosh, a security executive for Logica CMG.
Australia "a soft touch"
Ghosh said this mentality has contributed to Australian organisations being considered "soft targets", which a group of 35 students on a two week course led by Ghosh -- mostly people working in the legal profession with very little background in IT -- proved, by hacking into the "certified gateway protected" IT systems of 200 organisations. All the organisations were either on the Business Review Weekly Top 200 list or large government departments, said Ghosh.
The vulnerability tests resulted in over 50 percent of the systems being compromised within 12 hours, to the extent that content could be altered. Where transactional systems were penetrated, Ghosh said the students could have elected to gain root access, which would have allowed personal financial data to be changed.
A further 18 percent of the systems tested were hacked with 12 to 24 hours, while only 21 percent of the systems were deemed "secure" because the students failed to penetrate the system within 24 hours.
"Only 20 percent of the secure systems had any kind of intrusion detection system (IDS) installed and, in fact, half of those were freeware IDS tools, so it's not costly to put in reasonable protection," said Ghosh.
Perhaps a more startling figure is that only twice -- including those equipped with IDS tools -- did a security team respond to security breaches during the exercise.
Ghosh added that an equal spread of vulnerabilities found organisations using Microsoft, Apache and Domino servers, dispelling claims that some servers are more secure than others.
Ghosh said most organisations still believe a firewall provides the necessary level of security, however a third of security breaches occur where there is a firewall in place.
A case in point is Roses Only, whose IT personnel earlier this year told Ghosh their systems were secure because they had a firewall in place. In June it was discovered that Roses Only had experienced a security breach where as many as 20,000 customer details were stolen.
Sweeping security breaches under the carpet may today suit organisations trying to avoid public embarrassment, but if the Australian Law Reform Commissions' recommendations are accepted, organisations will soon be forced to disclose data breaches to the Privacy Commissioner, which might prevent Australia from continuing to be considered a "soft touch".