IT practices inadequate for forensic evidence

Wednesday 26 September 2007

IT management practices inadequate to preserve forensic evidence

The second annual New Zealand Computer Crime and Security Survey has revealed New Zealand organisations are ill-equipped to preserve computer forensic evidence.

The University of Otago conducted survey – which aims to raise the level of security awareness and determine the scope of computer crime in New Zealand – has found that IT management practices are inadequate when it comes to the preservation of forensic evidence that could lead to criminal convictions for computer hackers or fraudulent employees.

University of Otago researcher KJ Spike Quinn is concerned that New Zealand organisations do not appreciate the full seriousness of computer crime and associated consequences – both financially and with regard to the reputation of an organisation.

“Management of forensic capability is woefully short of ensuring admissibility of evidence in court. Having a suitably trained person first on the scene makes all the difference in whether a prosecution is successful,” Mr Quinn says.

Most organisations reported having the basic protection, such as antivirus and firewall technologies in place, but only 7 per cent of respondents had a forensically-trained first responder.

When an incident or intrusion occurred, 40 per cent reported it to management and 30 per cent did their best to patch security holes in network systems. Only 16 per cent reported intrusions to law enforcement. A third of the respondents who did not report intrusions to law enforcement were unaware of law enforcement interest.

Sixty-six per cent of New Zealand organisations invest of up to 5 per cent of their IT budget on security issues, compared to the 43 per cent Australian and 55 per cent United States figures.

“This investment figure initially sounds good, but AusCERT found in its 2006 report that 51 per cent of respondents considered an investment of up to 5 per cent to be inadequate. We need to be investing more now to be protected in the long term,” Mr Quinn says.

Only 5 per cent of New Zealand organisations spent more than 10 per cent of their IT budget on security, compared with 13 per cent in the United States and 14 per cent in Australia.

“These figures, coupled with the forensic readiness finding, predict a rise in failed prosecutions. The implementation of basic policies and procedures, plus basic security training, need to be adopted more widely. If there’s no training and no procedure laid down, you can’t expect staff to act appropriately,” Mr Quinn says.

Centre for Critical Infrastructure Protection Managing Director Richard Byfield says security threats and risks continue to increase and evolve to defeat our best defences.

“Key cyber threats include those from foreign intelligence services, organised crime syndicates, political activists, individuals acting alone, botnets and spam. As the tools and techniques of the adversaries improve, so must our ability to detect and deter these threats.”

Although most organisations surveyed had basic security features, technology solutions alone are not enough and organisations need to build a culture of cyber security, Mr Byfield says.

“People are a key component to raising the security posture of an organisation, but they need to be supported by clear and practical policy and procedures. On-going cyber security education and awareness initiatives are essential to ensuring that people are sensitised to the threats,” Mr Byfield says.

The survey also found that only 22 per cent of New Zealand respondents reported unauthorised use of computer resources, whereas the US figure was 52 per cent. This is possibly because New Zealand has greater access to computers and the Internet away from work.

The 2006 survey considered prevalence of security incidents, percentage of information technology department budget spent on security issues, use of cyber-security incident insurance, and intruder detection systems and other technologies, as well as popularity of workstation operating systems. Survey results are based on the responses of 113 computer security practitioners in New Zealand manufacturing, governmental, financial and medical organisations, and tertiary education providers regarding the 2005 calendar year.

ENDS

© Scoop Media