In recent tests of almost 200 certified gateways across a mixture of government organisations and BRW 500 companies, a recent study found that 79% of such systems could be compromised within 24 hours. Over 1 in 10 were compromised well inside of an hour, and almost half were compromised within 4 hours. And all attacks were performed by people with just two days of in lab training.
Repeat, these are CERTIFIED SECURITY GATEWAYS! The good news? The characteristics of uncompromised servers (yes, only 1 in 5) point out that it doesn't take very much effort to toughen a system up to deny such intrusions. Doesn't change the fact it is a sad state when secure certifications can be granted to systems so easily breached.For the record, a 'compromise' was classed as any intrusion that granted privileged access, a change of content, or if the server was taken offline for more than one hour. Another scary stat? Out of all the servers tested, even those that didn't fail, only twice did the security team respond to the fact there had been attempted intrusions. Though perhaps when your intrusion detector is blinking a red light non-stop from all the snoopers out there, you eventually put some tape over the light...
So back to the good news: what can you do to ensure your system is secure? Here's the list of what uncompromised servers did right:
- The company implemented, or was working on implementing, an ISMS.
- The server was running a hardened operating system.
- They had conducted a code review of web pages and installed applications (even if they just ran an automated tool).
- The servers were almost equally Microsoft, Apache, or Domino, so no free rides for any fanboys out there.
- Running an intrusion detection system, either commercial or free.
Other news pointed to the fact there is a LOT of sensitive corporate data that can be tracked down through traffic analysis outside the secure network. Personal email accounts, social networking sites, and blogs were high on the list of vectors that led investigators to data they could use against companies to get inside their system.
These tests actually led to the discovery of many activities the organisations may not have been aware of - insider trading, second jobs, sale of corporate assets, cult members, tax or customs problems, copyright infringements, and more.
The tests were conducted as part of courses for investigators, judges, and lawyers in forensic computing, run by LogicaCMG. Gotta give the props where they're due. [LogicaCMG]