 |
||||
|
|
|
||
|
Contents 
Introduction
What are they?
Taking a gamble
An Australian story
Attacking the bots
Sidebar: Getting to the bottom of bots
Sidebar: Bot facts
Sidebar: Keeping your botside covered |
|
||
|
|
||||
|
|
||||
It must be hacker's dream -- all of a nation's financial information on the one system. So what does the Australian Taxation Office (ATO) do to protect the interest of a nation?
Having a whole nation's financial records in your hands puts you in a dangerous position -- especially when it comes to bot networks. So it is no surprise that the ATO highlights these threats in red, putting them up there with risks associated with Trojans or other viruses.
Australian Tax Office CIO Bill Gibson says that what puts the ATO at greater risk is the increased Internet contact the office has taken on in recent years with its customers. This has lead to a review of the ATO's security architecture (partly to further wipe out the possiblility of new bot attacks) and further education campaigns to try stop bots from making it onto client's systems in the first place.
"The problem is we may feel we have got reasonably good protection against known [bot] threats, but it is the unknown ones we have to watch -- you don't want to be the first to discover a new threat, you want someone else to find it first so you know how to protect against it," Gibson says.
"So one of the things we are, and I think everyone should be conncerned about, is external clients. External clients may not realise how important it is to protect against these sort of things and they will often be the ones who will allow them to spread or enter your system.
So Gibson says the ATO is constantly educating the tax community about the need to keep security up-to-date. "We say if you want to engage in electronic tax lodgement -- something we are encouraging -- then you must keep your password up-to-date and antivirus and firewalls as recent as possible."
The ATO has two major concerns when it comes to bot networks. One is the use of bots to retrieve personal and confidential information lodged by clients, the other is the possibility of a Dedicated Denial of Service (DDoS) attack which, if successful, could bank-up work and cost the busy department big dollars.
"The ATO deals with a huge amount of client data and tax payer information so we have had put a very tough filtering regime in place -- some organisations are a little looser in the way they allow traffic through their firewalls but we constrain, very tightly, and limit everything to significant attachments. That is one of the fundamental things we have done to change our risk profile. Of course the trade-off is how much you deny yourself access to -- we are very conservative in this way." Constant updates are also key. Gibson says as part of their desktop management contract with UDH, the ATO is constantly pushing out virus and patch updates.
"We basically have a rolling cycle of updates every day -- those updates come through hours within receipt. We have 22,000 to 25,000 devices we need to get to so you we have to be careful we don't flood the network so we program it routinely so our system does get updated. It is all just a part of keeping a healthy system."
This article was first published in Technology & Business magazine.
Click here for subscription information.
You forgot to point out that 99% of bots only affect windows based machines :) and something as simple as following a basic security model would stop most bots dead in their tracks.
Like most malicious application in windows, bots need to write registry values into the windows registry; a normally user account only has write access to HKEY_CURRENT_USER which isn't enough to cause any serious damage to the operating system, this also greatly simplifies removal.
While I agree with the approach both yourself and Gibson have taken (scare tactic), I think you really should have been more emotive and stressed on user education. Believe it or not its not impossible to take down a botnet and with other attacks types such a DRDOS (distributed reflected denial of service) and DEDOS (distributed email denial of service) botnets can be considered small fry.
I believe everyone in the chain needs to do there part to help solve this problem. ISP's monitor ICMP and UDP activities which are normally related to botnet floods, most even egress filter these days to stop s****ing. Software vendors are constantly improve default security policies or providing updates to ensure machines aren't as easier infected. We as end user need to do as much as we can to secure our machines regardless of operating system. With higher security awareness and education comes "more" secure machines, remember there can't be botnets without insecure machines.