Hackers will always scout the weakest link into an organisation’s network and a drive-by hacker’s methodology is no different, often exploiting the poorer security of one organisation to hack into a trading partner or business client with whom it shares a VPN - or some other closed link - and which is the hacker’s ultimate target.
Whilst civil litigation has yet to come to fruition in Australia, hacked organisations, which believe they can confidently point the finger at a subsidiary, trading partner, or other linked business as the point of entry for security breaches on their own networks, are starting to turn to drawn-up lawyers’ letters to nip security lassitude in the bud, according to Leif Gamertsfelder, head of e-security, Deacons Lawyers.
“What we’re seeing a lot of at this moment is a lot of letters of demand,” Gamertsfelder told ZDNet Australia. “A precursor to litigation or settlement.”
“However, at this stage we’re only seeing a small amount of activity,” he added.
Gamertsfelder puts the lack of activity in Australia, compared to the US where civil litigation of this kind has gone into overdrive, in part down to “hypersensitivity” over security issues. Many corporations, he said, would still rather “wear the loss rather than tell the world”.
Also, there is still a lack of direction in relation to the standard that should be set. “Corporations are unwilling to be the first one to test it out in court,” he explained. But as with cybercrime cases in the mid to late 1990s, civil litigation over security breaches will eventually become less of a novelty and more routine in Australia, he pointed out.
“Hypersensitivity to security issues will go,” Gamertsfelder said. “They’re an inevitable part of life, just like traffic accidents. On the information superhighway there will be accidents, there will be loss.”
Furthermore, under ASX listing rules listed companies have to disclose any event that may have a negative impact, or impact, on its share price, and under the Crimes Act if anyone has any information about an indictable offence they must disclose it.
In Australia, “people will start taking each other to court…to be compensated for the damage they’ve suffered,” Gamertsfelder said and companies can be exposed to liability if they have failed to take “reasonable steps” to secure a wireless network. Security doesn’t have to be impenetrable, unless the company has signed to something like that under contract, it just has to withstand scrutiny in a court of law, he added. Under certain circumstances a company will be subject to strict liability under contract – but this would be an exception rather than a rule.
Andrew van der Stock, chief technologist at security company b-sec, said that “reasonable steps” to secure a wireless network includes, amongst other things, segregation of the network – making sure all traffic destined to the wireless local area network (WLAN) is separate from the rest of the organisation’s LAN – as well as putting in a firewall, which constrains the type of traffic that wireless devices can access on the main part of the LAN.
Although civil litigation for security breaches are on the horizon in Australia, Gamertsfelder conceded it “could be tomorrow, it could be in a month’s time”.
“Australia has always been a bit slow around the blocks in this area,” he said. “There are a great many cases in the US, which is normally a forerunner to similar events happening in Australia.”
Gamertsfelder cites one such case in the US where it is being argued that port scanning is equivalent to trespass.
“That type of case demonstrates the extent of activity in the US…it’s only a matter of time before that happens here,” he said.
When will people learn that specialist wireless gateway devices are already available on the market to protect and insulate wireless networks from the wired infrastructure? It's not rocket science, just good sense! Try www.bluesocket.com for starters.