"These guys are opportunists," he said, and they use scripts to identify targets displaying particular vulnerabilities. The vast majority of attacks fit this pattern, so it seems that an organisation that adopts relatively basic security precautions would be ahead of the game.
Interestingly, attacks rarely use exploits for vulnerabilities covered by the most recent patches. According to Mr Goudie, criminals most commonly target old issues. Zero-day exploits are real, he said, but they take serious amounts of effort to develop, so those responsible want to know they will get a good return on their investment. Consequently, the use of a zero-day against most Australian organisations would not be justified. "The return's just not there, and there are some soft targets around," explained Mr Goudie.
Another relatively common problem occurs when administrators fail to change default user names and passwords on devices and applications, or where a service provider (or similar) uses the same credentials across all its clients. Although the latter practice is convenient for the SP's staff - they can use the same username and password regardless of the customer they are working on, Mr Goudie described this practice as "scary."
And it appears to be widespread: "We see that stuff all the time," he added.
SQL injection is "old news, but still valid." according to Mr Goudie. "It's still a very common way of stealing data."
Hacking isn't the only issue - please read on.