deepagopi2011 - Fotolia

Thousands of significant cyber incidents hit Australian organisations

Australian Cyber Security Centre report reveals growing threat, with energy, banking and finance, and communications sectors targeted most often

Australian business and government are a target for malicious cyber activity, with the nation’s 2016 threat report identifying more than 15,000 significant incidents.

The Australian Cyber Security Centre’s (ACSC) 2016 threat report, the second produced by the centre since it was established, said it remained challenging to assess the full impact of cyber crime on Australia because it relied on voluntary self-reporting.

The government’s bill to amend the Privacy Act in order to mandate serious data breach notification is slated to be introduced and passed (it has bi-partisan support) by parliament in the near future, but for the time being, the ACSC said: “High levels of misreporting and under-reporting make it difficult to accurately assess the prevalence and impact of cyber crime.”

To assess the scale of the problem in the private sector, the ACSC has relied on data from callouts to CERT Australia, the national first responder to cyber incidents, which responded to 14,804 incidents from the private sector in the year to the end of June. Of those incidents, 418 involved systems of national interest and critical infrastructure. The energy, banking and finance, and communications sectors were targeted the most often.

Meanwhile, between January 2015 and June 2016, the Australian Signals Directorate was involved in 1,095 security responses to incidents on government systems, including a damaging penetration of the Bureau of Meteorology’s computer system by a foreign intelligence service in which data was stolen.

Despite the clear and present threat, the report said that to ensure corporations remained alert to the issue, the language surrounding computer security problems needed to be toned down and incidents should be referred to as “malicious cyber activity” launched by “cyber adversaries” rather than attacks by hackers, which tended to sensationalise the issue.

A cyber attack, meanwhile, was defined as “a deliberate act through cyber space to manipulate, disrupt, deny, degrade or destroy computers or networks or the information resident on them, with the effect of seriously compromising national security, stability or economic prosperity”.

Read more about cyber security in Australia

This year’s ACSC report again confirms the extent of the problem and profiles a series of malicious incidents.

In one case, an adversary gained access to an unnamed government network using malicious Microsoft Office macros. And in the financial sector, a domain controller was compromised and had been communicating with malicious domains for at least a year before detection. Elsewhere, a critical infrastructure provider found a cyber adversary had used legitimate credentials belonging to a staff member and a contractor to effect a systems compromise.

Although in that last case the offshore suspect was identified and subsequently arrested, incidents point to the growing challenge of dealing with the “insider threat”, according to Keith Lowry, senior vice-president of Nuix, a global provider of security services, headquartered in Sydney.

A US government employee for 30 years, Lowry was involved in both the Edward Snowden and Bradley/Chelsea Manning investigations before joining the US Food and Drug Administration’s security team.

Insider threat

He said it was clear that technology could not solve the computer security issue. “Once you penetrate the outside perimeter and are inside, to me it’s irrelevant how you got there or your position,” he said. “That is an insider threat.”

This meant that the traditional model of security as “gates and guards” was not adequate, said Lowry. Organisations in all sectors needed to rethink their approach to counter insider threats which, without proper surveillance, could go undetected for months.

Organisations needed to take a higher-level view and define threats, define critical value data, designate a senior official, conduct a capabilities assessment, and then develop, publish and prosecute policies and procedures, he said.

Lowry, who was in Australia recently, said companies needed to appoint a single person responsible for security who reported directly to the CEO or COO. “This cannot be relegated to the IT department,” he said. “The moment you put responsibility for blocking individuals to IT, it becomes an IT problem rather than a person problem.”

Read more on Web application security