Outsourcing: The answer to your security issues?
Echoing a similar sentiment to David, Tim Smith, chief technology officer of security for Australian ASP and network integrator Com Tech Solutions, says that the primary issue for security has not really changed much in the last six years.
"Systems [are] being implemented with default settings, unpatched or [have] ancillary services running that are not required (and open to abuse)," says Smith. "Default settings and unpatched systems cover a multitude of exposures, from site defacement all the way through to backend compromise including the acquisition of private data such as customer databases and credit card numbers."
The other major exposure for cybercrime in Australia is the extent to which companies are lax about maintaining a certain level of vigilance with their security solutions once they're in place. "Security is a moving target and keeping up-to-date is a full-time job," explains Smith.
Smith cites the human factor as a particularly vulnerable area to attack for most Australian businesses, mainly because of the complete lack of staff training in that area.
"With the exception of those specially trained on counter-social engineering techniques (such as the military), almost all organisations are susceptible to social engineering," said Smith. "Most organisations do not address this issue at all... The only way to defend against it is [through] a security awareness program."
This problem occurs not because staff are complacent, as such, but because they sometimes wish to help out someone in need. "The problem is, people generally want to help--if someone appearing to have forgotten their key or password is roaming the office (or phones in), the immediate reaction is to try and help" says Smith. "[It is] very difficult to address this with technology."
Leigh Purdie, co-director of the InterSect Alliance, an information technology security consultancy, still believes that this type of attack on a business can often be the most effective. "One of the oldest and more successful mechanisms to gain access to an organisation's information resources, is the 'social engineering' attack," says Purdie. "It basically involves hitting the organisation in a perceived 'soft spot'--employees who may not have an awareness of the security implications of their actions."
The lack of perspicacity of some corporate employees plays right into the hands of prospective infiltrators. "We've known of situations where external attackers ring a random number inside an organisation, claim to be a network administrator doing network testing from the IT cell, and ask the user to log off their system and log back on again--all the while reading out what they are typing," explains Purdie.
One possible solution that Com Tech's Smith recommends is for Australian businesses to take their security to someone who can dedicate specific resources to it and is specially trained in that area. "If an organisation does not have the necessary skill sets to keep systems secure as well as operational then they should look at outsourcing their security to a third party dedicated to managing security for them... Managed security companies are more process [rather than technology] driven and generally more aware of social engineering techniques."
