Australian organizations hide security breaches
It has come to the attention of Australian police, that corporations and government organizations of this country fail to announce security breaches. This is done due to the fact that most of them would rather not get the information as well as themselves dragged through courts, thus worsening their public image. The police question the validity of this argument and ask the question, whether the said organizations realise what threats these leaks pose and the way this information can theoretically be used by someone less accountable than the police.
Even though this is somewhat true in other parts of the world aswell, Australia’s stance on computer security is especially flawed. A recent experiment led by Ghosh shows just how flawed it actually is.
Ghosh led a group of 35 students with little IT background tried hacking into 200 different organizations – top standing corporations and government departments – with intent to expose flaws in security. And that, they did.
Over 50% of the systems in question were hacked into enough so that you could alter content. All within 12 hours. Upon penetration of transactional systems, the students could have elected to gain root access and thus alter their own financial data. Another 18% of the whole number of systems was hacked into within 12 to 24 hours and only around 21% the students failed to hack in 24 hours, thus deeming them secure, but one should have in mind that 24 hours is hardly the limit for something more than an experiment.
Only 20% of the systems had Intrusion Detection System tools, and 10% were freeware. An even more startling result is that only in 2 cases were the attacks reponded to, even among those with IDS.
Most organizations still believe that firewall is the ultimate protection against any attacks, missing the point that a third of successful attacks are against systems with firewall. And to further the fact that Australian organizations hide security breaches under a rug, one of them, "Roses Only", which claimed recently that firewall is enough, was hacked into and 20,000 customer details stolen.
The days of hiding these facts may be at an end, because a new piece of legislation will enforce reporting security breaches to a privacy commision.
Recently commented malware