Security Experts Complacent About Physical Network Attacks, Study Finds

Security experts may be underestimating the security threat posed by physical attacks to the Internet’s infrastructure, a Lancaster University researcher has said.

Security experts may be underestimating the security threat posed by physical attacks to the Internet's infrastructure, a Lancaster University researcher has said.

A study exploring the emerging and future threats to telecommunication networks, led by Lancaster University, found that just nine percent of respondents considered physical attacks to the internet infrastructure to be a likely threat to future internet security.

Respondents, comprising network and security experts from academia, industry and government, appeared to be more worried about the misuse of data and malicious traffic attacks on the network.

Dr Andreas Mauthe, from Lancaster's School of Computing and Communications, said: "It was surprising that experts have very little concern regarding physical attacks on the infrastructure, for example links taken out on purpose, or by natural disasters.

"These kinds of effects would probably merit some further investigation into the impact on the overall Internet services [as web traffic gets rerouted if parts of the network are knocked out]. People responsible for the critical infrastructure should be concerned and should gather more knowledge to make more informed decisions."

The research found that a third of respondents put breaches of trust within companies and misuse of personal information as their number one internet security concern.

This was followed by the threat of malicious network traffic attacks, at 27 percent.

However, there was a stark difference between the opinions of industry and academic experts, which Mauthe also found surprising.

Industry experts tended to classify social engineering attacks, such as the misuse of information, as one of the most important future risks, while researchers put malicious traffic attacks (such as Distributed Denial Of Service or botnets) and physical network attacks first.

"One aspect is we are becoming more and more dependent on Internet-based service provision [for example online banking] and if users are not careful with their data, they might have their data misused.

"Industry is quite confident about their infrastructure and the security they built in, so their major concern is the user aspect," Mauthe suggested.

Meanwhile, Philippe Jan, a tutor in cyber security at Lancaster University and former head of the internal technology training team at Symantec, suggested that industry may be more concerned about social engineering attacks because they may have experienced some of those attacks first hand.

"Once you've had the publicity of an attack, you raise the profile of those attacks in your own head," he said.

However, as a former employee in industry, Jan also found it surprising that physical security was not a high priority.

"People seem more fearful of risks they've seen or heard about in the news. From a security point of view, we would see physical security as key and the priority. If you don't have physical security it's very difficult to secure things further."

The research was carried out as part of the government-funded India-UK Advanced Technology Centre (IU-ATC) in Next Generation Networks Systems and Services programme, and involves a team led by Mauthe, Professor Gerard Parr from the University of Ulster and Professor Hema Murthy from IIT Madras India.

Copyright © 2011 IDG Communications, Inc.

8 pitfalls that undermine security program success