Backtrack in the Outback - A Preliminary Report on Cyber Security Evaluation of Organisations in Western Australia
Association of Digital Forensics, Security and Law
Faculty of Computing, Health and Science
School of Computer and Security Science / Security Research Centre (secAU)
The authors were involved in extensive vulnerability assessment and penetration testing of over 15 large organisations across various industry sectors in the Perth CBD. The actual live testing involved a team of five people for approximately a four week period, and was black box testing. The scanning consisted of running network and web vulnerability tools, and in a few cases, exploiting vulnerability to establish validity of the tools. The tools were run in aggressive mode with no attempt made to deceive or avoid detection by IDS/IPS or firewalls. The aim of the testing was to determine firstly whether these organisations were able to detect such hostile scanning, and secondly to gauge their response. This paper does not extensively analyse the resultant empirical data from the tests this will be the subject of several other papers. Of the 15 agencies investigated, only two were able to detect the activity, and only one of these escalated this to authorities. Many had intrusion detection or prevention systems, but these did not appear to detect the scanning which was conducted. Others did not have any form of detection, only logging without active monitoring and some had no persistent logging of anything. Of those who did detect, the lack of a formal incident response and escalation plan hampered their ability to respond and escalate appropriately. Many of these organisations had recently, or very recently undergone penetration testing by external audit or IT companies, and yet there were still numerous vulnerabilities, or their system did not detect the scan. The conclusion is that organisations need to be very specific about what their needs are when engaging external agents to conduct network security testing, as current penetration testing is giving them a false sense of security
This document is currently not available here.