VPNs Insecure, Cyberterrorism Expert Says

Hackers are changing their methods and targets with executives' home computers and unsecured Virtual Private Networks (VPNs) the principal aim.

VPNs are not a secure technology, said the man who named the SQL Slammer worm Internet Security Systems X-Force director Chis Rouland, and provide an ideal back door to the company network.

Speaking to Australia's 'security elite' in Canberra this week and to critical infrastructure stakeholders including the Big Four banks, Rouland was joined by former FBI special agent and ISS director of emergency response Patrick Gray at invitation-only meetings to share US initiatives to combat cyberterrorism.

As 90 per cent of Australia's critical infrastructure is privately owned, Rouland said, it is the enterprise that has to take the lead. As methods of attack change, companies are increasingly becoming the target of hackers, he said.

While governments have traditionally been targets for attack — especially defence sites — ISS found e-commerce sites are increasingly being defaced by hactivists who want to send a political message.

"Another problem is that hackers develop exploits quicker than patches; there are about 400 vulnerabilities a month and companies are not in a position to patch all of them or decide which ones should be patched first," Rouland said.

In response ISS is offering a solution called Dynamic Threat Protection Techniques, which combines patching methodology with technology.

One of the key issues raised during discussions was information sharing and how competitors can work together to protect critical infrastructure.

ISS Australia managing director, Kim Duffy, said the CEOs of all four banks want to be reassured they are protected to compare threats because they realise "if one gets hacked it hurts everybody".

A presidential directive in the US lead to the establishment of an Information Sharing and Analysis Centre that provides a legal framework for the private sector to share information and maintain anonymity without public disclosure.

The ISS team believes a similar model could work here as the rules of disclosure ensures the government is notified and the relevant vendor is given 30 days before the information is made public allowing time to prepare a patch and fix the exploit.

"This allows companies to make business decisions on how to respond and mitigate the impact even before a fix is available," Rouland said.

Moves to make vendors more responsible for developing better quality, secure products is "unrealistic", according to Rouland.

He said the marketplace is too competitive to spend time doing extensive testing when vendors are fighting "feature for feature".

"[Vendors] have to get the product out quickly with features; if Microsoft tried to develop a perfectly secure .Net it would take 20 years and it would be out of business," he said.

Call for Cyberterrorism Council

Australia is vulnerable to cyberterrorism which has become the latest non-military weapon of choice, a defence expert and academic Dr Alan Ryan told a parliamentary committee.

He warned that cyberterrorism is the way of the future and the nation's security experts would have to focus their attention on the problem.

Speaking to a foreign affairs, defence and trade subcommittee, Ryan highlighted the growing incidences of viruses being used to attack computers. He cited the crash of a US military plane in Chinese territory after computer hackers attacked American systems.

"We're moving to a stage where this is going to be one of our greatest vulnerabilities and it's a virtual vulnerability," he said.

"But it's one that we as an information-reliant society — and to be honest a fairly bleak society in terms of our nation's security network — are going to have to pay a lot more attention to."

Ryan also advocated a national IT security council for Australia, similar to that in the US, and administered by a national security adviser to be run out of the Department of the Prime Minister.