Press Release: ITAC: Australia's Leading IT Security Consultancy - Client: ITAC - Date: June 2000

Back to Press Releases

Computer hacking is a term usually synonymous with the notion of subversivevandals tampering with corporate networks, though Australian ethical hacking firm ITAC is in fact the antithesis of hacking as it is commonly known, providing one of the most thorough network security services throughout Australia and the Asia Pacific.

ITAC is a wholly Australian IT security consultancy who has grown to become one of the country's most regarded IT security consulting firms. Providing some of the world's most innovative network security services the company has performed network security checks for some of the world's top organisations, from assorted national and international government agencies, through to stock exchanges, banks, insurance companies, the manufacturing sector, educational institutions, and healthcare environments.

ITAC has made its mark overseas as a representative of Australian initiative by developing its own network intrusion detection system (NIDS). According to MD Stephens James, "The ITAC-NIDS identifies attacks as they occur and responds to it by sending an alert to the security administrator and/or blocking the attack before it actually causes damage. The system is an absolute must for any e-commerce initiative".

ITAC have also developed a secure logging server which works with the NIDS to capture logging and audit trail information. The server stores this in a highly secure environment. This is an absolute must for an organisation's forensic capabilities to be able to use this information in a court of law. Being recognised as the leaders in IT security and hacker activities, ITAC keeps its NIDS up to date whenever a new bug or vulnerability is identified which could enable an attacker to compromise a network.

ITAC was established by MD Stephen James in 1995. Prior to establishing his own security consultancy, James worked with Price Waterhouse for around 5 years. ITAC now has offices in capital cities around Australia and an ever growing team of security specialists employing staff throughout Australia, including Sydney, Canberra, Hobart and Perth.

ITAC MD, Stephen James explained the ethical hacking process, "Hackers and crackers use freely available software that anyone can download from the Internet. These tools include programs and scripts which either deny service to a machine, identify programs that are running on a machine or identify security exploits and vulnerabilities on a machine or network.

"In summary, a penetration test will start by gathering information about the target organisation (eg. web sites, what firewalls they may use, their network address ranges etc). We would then scan their perimeter defences to determine what programs (services) they are running. We would then methodically try to attack each of those services. At the same time, we would perform manual attacks such as social engineering, dumpster diving, floor walk attacks and physical access attacks.

"ITAC does not use commercial scanning tools as we don't believe an attacker would pay tebns of thousands of dollars to buy such tools, instead we use the same scripts and techniques used by hackers around the world."

"When ITAC performs ethical hacks," James says, "we use a combination of technical attacks and manual attacks. Technical attacks include the programs and scripts described above as well as special programs that we develop specifically for a particular job. Manual attacks include social engineering attacks (eg calling users at random and asking for their passwords), physical security attacks (eg crawling through airconditioning ducts), dumpster diving attacks (eg looking through rubbish bins to find security-relevant information) and floor walk attacks (eg walking up to a terminal that is left logged on and unattended).

A good penetration test includes attacks against the organisation's technical security controls as well as their manual controls. Focusing on the technical controls alone is meaningless. A good penetration test will also determine the level of risk faced by the organisation from both an internal and an external attacker. This is particularly important considering that around 68% of computer crime is still committed by people inside an organisation," James said.

Expansion

In order to service the growing demands of the Australian corporate community, ITAC has recently established an office in Hobart. In tandem with its expansion, the company will continue to recruit additional staff, to its Murray Street offices in Hobart, while offering one of the most comprehensive training courses in the nation.

As part of its expansion and growth, ITAC has three professional services groups within the organisation: Security Consulting Group, Security Management Group and the Software Development Group.

Each group is continually growing and looking for new recruits. The Security Consulting Group provides IT security consulting services such as development and implementation of policies and standards, security audits and penetration tests, security awareness training (including the ITAC Applied Hacking course) and system hardening services.

The ITAC Security Management Group manages the security for clients ranging from management of firewalls, hosting of secure web servers, and the full outsourcing of IT security. The Software Development Group is responsible for the development of tailor-made security solutions for clients where commercial products are inadequate eg tailor made firewalls, the ITAC NIDS, secure web servers and tailor made secure e-commerce solutions.
As Australia's leaders in hacker studies and techniques, ITAC has also contributed extensively to the Australian security committee by having established an internal group called ENIGMA. ITAC-ENIGMA works with various vendors, police computer crime squads and AUSCERT to identify vulnerabilities in various software packages such as Microsoft products and Unix variants before malicious attackers do.

ITAC-ENIGMA also identifies controls and solutions to mitigate newly identified vulnerabilities. ITAC-ENIGMA can be found at the ITAC website: www.itaudit.com.au

Training

ITAC has recently developed a unique five day security training course called the ITAC Applied Hacking & Effective Countermeasures course. The only course of its kind in Australia, it teaches how hackers hack, the tools they use, how to hack via Unix and NT, how to hack firewalls and how to implement an effective security framework for both e-commerce and day to day operation. And how to apply countermeasures to avoid those risks.

Participants in the ITAC Applied Hacking & Effective Countermeasures course will be required to undergo a vetting process before being accepted into the course. Course dates and venues for each Australian capital city will be publicised on the ITAC website at: www.itaudit.com.au.

Written by Craig Stephens

Back to Press Releases