In late September 2012, Australia’s CERT (Computer Emergency Response Team). received a spate of calls from more than 25 organisations being targeted by ransomware. The attacks encrypted files on the compromised system or locked the victim out of the desktop environment. The attacks also encrypted files in the system backups.
The victims were then asked by the attacker to pay a fine using a payment or money transfer service, to obtain the codes that would unlock the computer or decrypt the data.
The attacks have been disclosed by CERT in a major new report which outlines the extent of cyber crime in Australia. The 2012 Cyber Crime and Security Survey: Systems of National Interest was conducted to obtain a better understanding of how cyber incidents are affecting the Australian businesses that form part of Australia’s systems of national interest, including critical infrastructure.
“The findings from this survey provide a picture of the current cyber security measures these businesses have in place,” says Attorney General Mark Dreyfus. “They show; the recent cyber incidents they have experienced; and their reporting of them.
The report details many cyber threats, but the series of ransomware scares in September are perhaps the most concerning. In some cases, the ransomware included scareware, displaying a fake warning screen, claiming that the victim’s computer had been associated with criminal activity.
“This was a tactic to discourage the victim from reporting the attacks to law enforcement agencies or the CERT,” says the report. “For example, one warning screen was set up to look like it was from the Anti Cyber Crime Department of the Federal Internet Security Agency. There is no such agency.”
In the majority of cases, the attackers used Microsoft Remote Desktop Protocol as an entry point to the target network. This was possibly using authentication credentials obtained by key loggers, or accessing systems with weak credentials.
The severity of the damage done by the attacks varied across the target organisations. In the worst case scenario reported to the CERT, one victim lost 15 years’ worth of critical business data, which is a serious compromise.
“This case study highlights the nature of CERT Australia’s mission – it’s all about helping business best prepare for and respond to cyber attacks. It does this by using its government, industry and international partnerships to provide the most useful advice possible – as soon as possible.”
The report found that Australian business is taking cyber security seriously. But the survey results also indicate that many organisations are not confident that cyber security is sufficiently understood and appreciated by staff, management and boards.
In terms of cyber security incidents, more than half the organisations considered attacks on their organisation to be targeted. This indicates a shift from previous views or conceptions, that most attacks are non-targeted or indiscriminate.
And while the majority of attacks were reported to come from external sources, the fact that 44% originated from within organisations serves as a reminder that internally-focused cyber security controls and measures are also important.
Reporting of cyber security incidents – which is critical to the effectiveness of the government-business partnership – clearly requires further attention.
“CERT needs to articulate to business the benefits of reporting cyber security incidents to CERT Australia and to law enforcement, and that all information provided to the CERT is held in the strictest confidence.”
The key findings for this survey include:
- over 90% of respondents deployed firewalls, anti-spam filters and anti-virus software.
- two-thirds of respondents had documented incident management plans, however only 12% had a forensic plan.
- nearly two-thirds of organisations used IT security related standards.
- over two-thirds of respondents had staff with tertiary level IT security qualifications. Over half had vendor IT security certifications, whilst just under half had non-vendor IT security certifications.
- over 20% of organisations know they experienced a cyber incident in the previous 12 months, with 20% of these organisations experiencing more than 10 incidents.
Of the organisations which know they experienced cyber incidents:
- 17% suffered from loss of confidential or proprietary information, 16% encountered a denial-of-service attack, and 10% financial fraud
- 44% reported the incident to a law enforcement agency, whereas only 13% sought a civil remedy through action from legal counsel
- 20% chose not to report the matter to a law enforcement agency because of the fear of negative publicity
- the most common responses as to why incidents were successful, were that they used powerful automated attack tools, or exploited unpatched or unprotected software vulnerabilities or misconfigured operating systems, applications or network devices
- over half of all organisations have increased their expenditure on IT security in the previous 12 months.
CET says that as there was a strong response rate of almost 60% for this inaugural survey, the findings are considered to be representative of this particular sample. The strong response rate also indicates a good level of trust between CERT and its business partners.