Wednesday 26 September 2007
IT management practices inadequate to preserve forensic evidence
The second annual New Zealand Computer Crime and Security Survey has revealed New Zealand organisations are ill-equipped
to preserve computer forensic evidence.
The University of Otago conducted survey – which aims to raise the level of security awareness and determine the scope
of computer crime in New Zealand – has found that IT management practices are inadequate when it comes to the
preservation of forensic evidence that could lead to criminal convictions for computer hackers or fraudulent employees.
University of Otago researcher KJ Spike Quinn is concerned that New Zealand organisations do not appreciate the full
seriousness of computer crime and associated consequences – both financially and with regard to the reputation of an
organisation.
“Management of forensic capability is woefully short of ensuring admissibility of evidence in court. Having a suitably
trained person first on the scene makes all the difference in whether a prosecution is successful,” Mr Quinn says.
Most organisations reported having the basic protection, such as antivirus and firewall technologies in place, but only
7 per cent of respondents had a forensically-trained first responder.
When an incident or intrusion occurred, 40 per cent reported it to management and 30 per cent did their best to patch
security holes in network systems. Only 16 per cent reported intrusions to law enforcement. A third of the respondents
who did not report intrusions to law enforcement were unaware of law enforcement interest.
Sixty-six per cent of New Zealand organisations invest of up to 5 per cent of their IT budget on security issues,
compared to the 43 per cent Australian and 55 per cent United States figures.
“This investment figure initially sounds good, but AusCERT found in its 2006 report that 51 per cent of respondents
considered an investment of up to 5 per cent to be inadequate. We need to be investing more now to be protected in the
long term,” Mr Quinn says.
Only 5 per cent of New Zealand organisations spent more than 10 per cent of their IT budget on security, compared with
13 per cent in the United States and 14 per cent in Australia.
“These figures, coupled with the forensic readiness finding, predict a rise in failed prosecutions. The implementation
of basic policies and procedures, plus basic security training, need to be adopted more widely. If there’s no training
and no procedure laid down, you can’t expect staff to act appropriately,” Mr Quinn says.
Centre for Critical Infrastructure Protection Managing Director Richard Byfield says security threats and risks continue
to increase and evolve to defeat our best defences.
“Key cyber threats include those from foreign intelligence services, organised crime syndicates, political activists,
individuals acting alone, botnets and spam. As the tools and techniques of the adversaries improve, so must our ability
to detect and deter these threats.”
Although most organisations surveyed had basic security features, technology solutions alone are not enough and
organisations need to build a culture of cyber security, Mr Byfield says.
“People are a key component to raising the security posture of an organisation, but they need to be supported by clear
and practical policy and procedures. On-going cyber security education and awareness initiatives are essential to
ensuring that people are sensitised to the threats,” Mr Byfield says.
The survey also found that only 22 per cent of New Zealand respondents reported unauthorised use of computer resources,
whereas the US figure was 52 per cent. This is possibly because New Zealand has greater access to computers and the
Internet away from work.
The 2006 survey considered prevalence of security incidents, percentage of information technology department budget
spent on security issues, use of cyber-security incident insurance, and intruder detection systems and other
technologies, as well as popularity of workstation operating systems. Survey results are based on the responses of 113
computer security practitioners in New Zealand manufacturing, governmental, financial and medical organisations, and
tertiary education providers regarding the 2005 calendar year.
ENDS