Analysis of recent cyber security auditing involving 1 323 routers and 452 network switches, revealed only a small percentage were patched adequately and even less where configured in a secure manner.

 

Two of Charles Sturt University’s (CSU) experts in cyber security have presented cyber security research into the consequence of misaligned incentives in cyber security and its relationship to audit, demonstrating how the existing audit process leads to security breaches and concluding that misspent funds add little value to an organisation’s cyber security controls.

 

In a three year research effort, Charles Sturt University (CSU) adjunct lecturer, Asia Pacific Director of GICSR and leading Australian cyber security expert, Dr Craig Wright  and CSU lecturer Dr Tanveer Zia   have correlated and measured the relationship between cyber security and systems audits.

 

Dr Wright noted that, “It may be easier to measure compliance than it is to measure security, but spending money to demonstrate compliance does not in itself provide security”. Dr Wright and Dr Zia’s research shows that audit firms have little incentive to audit less-common systems. In particular, core networking equipment and systems outside the normal scope of an audit framework are commonly not examined.

 

In an analysis of 1 323 routers and 452 network switches, Dr Wright found that respectively only 3.99 per cent and 1.2 per cent of these systems was patched adequately and configured in a secure manner. The organisations running these systems all came under regular security audits from reputable firms with some being covered under the ISO 27000 and Payment Card Industry Data Security Standard (PCI DSS) information security standards. In these audits, not a single check of the network equipment firmware had been conducted in any organisation for over three years.

 

 “Until we start measuring security on a constant and consistent basis and do not just take selected aspects of an organisation’s cyber security in isolation, critical systems will remain at severe risk of compromise. The existing audit and compliance industry needs to change to a cyber security monitoring approach as point-in-time solutions continue to fail us again and again,” Dr Wright said.

 

“Cyber security is one of the greatest challenges faced in an ultra-competitive international environment,” Dr Wright said, noting that gross cyber security failures, such as those recently reported on the Western Australian Government’s failed cyber security assessment, occur due to a flawed compliance structure where security takes a backseat to simplified checkbox processes. He reports that all it takes is a single flaw to breach a system and no matter how securely the hosts are patched and configured, if the surrounding infrastructure is not also secured fully, an attacker can breach the system.

 

In an initiative aimed at developing skilled cyber security professions who are capable of dealing with the existing failings and who can help improve the security posture of the country as a whole, CSU has introduced a range of postgraduate qualifications in Information Systems Security. There are currently 161 IT professionals enrolled in CSU’s security qualifications and Dr Wright believes that Australia’s security profile will improve as these students start applying what they have learnt in the workplace.  The qualifications are unique in that they incorporate a wide range of industry-best practice security certifications, such as CISSP and Certified Ethical Hacking.