CeBIT 2011: NBN could be a cybercriminal's best friend: iWebGate

Faster broadband means speedier attacks, says expert

Once the National Broadband Network (NBN) rolls out, the ability to take down companies -- who have yet to invest in network security and publish network services to the internet -- will become much easier, according to a security expert.

iWebGate managing director, Tim Gooch, told attendees at CeBIT this week that many financial planning and accountancy firms were not taking security seriously.

He explained that the company, which specialises in network security, had recently tested the defences of an accounting firm and reached its internal server within less than seven seconds.

"One may argue that the way we look at it is that if you are one of many firms that don't take network security seriously, then this is a serious problem," Gooch said.

"If we chose to, it would take us about four months to plan a sophisticated attack such as spear phishing.

"We know about 60 per cent of financial planning firms publish their network services to the internet so that would be our target market."

According to Gooch, the attack could run a significant attack vector in about 12 hours and cause "significant damage".

See photos and all the action from the event.

Turning to the NBN rollout, which Senator Stephen Conroy announced on Monday it had received additional funding, Gooch warned that hackers knew of the network's greater capability in delivering attacks and that the government had not addressed the security of nodes or endpoints.

"If more and more organisations join the NBN, our attack vectors move from 60 per cent of institutions to 90 per cent of companies," he said.

"Instead of taking 12 hours to run an attack vector, we could run it in under 20 minutes."

Gooch also said that companies needed to protect core principles such as assets.

"If we come to the nuts and bolts of a firewall, there is no network separation so the private network is in direct contact with other networks," he said.

"Firewalls are not secure because they allow data to travel in and out."

One system that could help with the separation of networks was a program similar to the US Department of Homeland Security's Control Systems Security Program.

According to its website, the CSSP coordinates activities to reduce the likelihood of success and severity of impact of a cyber attack against critical infrastructure control systems through risk mitigation activities.

Putting in place breach notification disclosure laws similar to those in the US and Germany could also help change companies attitude towards network security, Gooch said.

"They [disclosure laws] are within the public’s best interests because it is not in their interests to have their credit card information taken," he said.

"If a network is breached in the US or Germany, you must notify your customers.

"When we look at the NBN, it’s a wonderful opportunity but to get this right, we must have some core security principles and regulations in place."

Got a security tip-off? Contact Hamish Barwick at hamish_barwick at

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU

Join the CSO newsletter!

Error: Please check your email address.

Tags spear phishingiWebGate Tim GoochNetworkingsecurityNational Broadband Network (NBN)NBNiWebGate

More about CeBITetwork

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Hamish Barwick

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place