Despite increases in the number and capability of botnets for distributed denial of service (DDoS) attacks, social engineering remains one of the largest cyber security threats to IT infrastructure according to the Australian Federal Police (AFP).
As opposed to DDoS and other remote hacking techniques, social engineering involves obtaining system passwords and potential flaws in security systems by speaking to IT departments or relevant staff.
Presenting to the Australian Computer Society’s Discover IT 2011 conference in Canberra, AFP detective superintendent, Brad Marden, said the “unwitting inside threat” account for the vast majority of successful attacks on information systems. That included, he said, recent attacks on cyber security firm HBGary, which was targeted by Anonymous after the company’s chief executive, Aaron Barr, boasted that he knew the identities of high-level members at the secretive hacking group.
Marden said the HBGary incident came as a result of “computer professionals who allow themselves initially to be socially engineered to give up a little bit of information”.
Lack of best practice and use of common passwords between low-end and critical systems allowed those involved to gain access to the company’s high-level infrastructure and ultimately deal damage.
Marden said the same was the case in several local instances, where the AFP has mounted investigations into hacking attempts on high-end sensitive systems as a result of “deliberate or inadvertent social engineering”.
“Once you’ve literally got unfettered access to a system, you can do whatever you want,” he said. “If you had the root-level admin access to the system, the world’s your oyster.”
The majority of cases investigated by the AFP could have been prevented, Marden said, by implementing some of the more basic principles set out in a list of 34 best practices mandated by the Cyber Security Operations Centre, a department of the Defence Signals Directorate.
The AFP’s high tech crime unit, of which Marden is a director, has moved to solve several of these issues by talking to a wider range of industry professionals and using the unit’s support team to educate the wider police department on cyber security measures including IP and Whois domain checks.
“We are going to end up with a quite educated police force from a cyber perspective,” Marden said. “But we know there will be some Luddites that are just never ever going to get up to that level.”
Talks are continuing with cyber security firms but, according to Marden, the AFP is not yet satisfied with the industry’s level of cooperation.
Marden’s warning came as the auditor-general this week scolded the Department of Prime Minister and Cabinet among other federal agencies for putting government security at risk through the use of Gmail and Hotmail on work computers. The department has since vowed to block access to the websites.
Follow James Hutchinson on Twitter: @j_hutch
Follow Computerworld Australia on Twitter: @ComputerworldAU