November 2004 – Page 6 – CyberSecurity Institute

Factoids on Security

Posted on November 11, 2004December 30, 2021 by admini

Two-thirds of users say they don’t get computer security training at work.

Infosec jobs will reach an estimated 2.1 million in 2008.

Very few companies are complying with CAN-SPAM Act.

Nearly two-thirds of enterprises use commercial spam filtering software or appliances.

One in 10 companies has not tested its disaster recovery systems in more than a year.

Congress plans to allocate $3.6 billion for first responders in 2005.

More than one-third of companies do not have an integrated, comprehensive BC/DR plan.

Coast Guard sees budget jump more than $700 million for FY 2005.

Phishing attacks grow in number, and their prey have not wised up.

E-mail archive software revenues doubled from 2003 to 2004.

Survival time for unpatched Windows PCs cut in half.

Federal IT security spending for fiscal year 2005 shows just 2 percent increase.

Although many companies measure security performance, two-thirds don’t measure ROI for risk management.

Product and financial-related messages rank as top spam categories for April.

U.S. consumers identify top five potential sources of ID theft.

Training IT staff in basic security can reduce breaches, but it’s not for everyone.

Spim (IM Spam) messages will total 1.2 billion messages in 2004.

Worms and blended threats accounted for 43 percent of Internet attack activity between July and December 2003.

Online consumers trust their employers more than any other organization.

Spam will account for more than half of all e-mail messages in 2004, costing businesses billions.

MyDoom outbreak hits specific websites, leaves rest of Net undisturbed.

Nearly one in five U.S. consumers know a victim of online credit card fraud.

Identity theft and fraud cost Americans some $437 million in 2003.

Most online consumers believe their passwords are secure, but almost half of them never change their passwords.

Identity theft and credit card theft top consumer fraud fears this holiday season.

The United States leads the world in e-commerce fraud, generating 47.8 percent of worldwide fraudulent transactions.

Nearly three in four health care companies don’t bother to justify information security spending.

Uncle Sam seeks IT workers with security clearance and basic programming skills.

More digital attacks originate from Brazil than anywhere else; so far the 2003 count stands at more than 95,000 digital attacks.

Product related e-mails account for 20 percent of all spam, but Internet related messages show biggest increase.

Business Process Management tools gain traction in the enterprise.

The FTC projects 210 million complaints reported to its identity theft clearinghouse by year-end 2003.

Businesses and consumers lose more than $50 billion to identity theft over the last five years.

A majority of U.S. companies did not have formal plans in place to handle recent blackouts in the eastern United States.

The majority of Fortune 1000 execs are better prepared than they were two years ago to recover from a disaster.

Message security market will grow to $1.1 billion by 2007.

Many PDA users keep sensitive business information on their PDAs.

More than one-third of Canadians say their personal information has been compromised online.

Web application security products and services market to hit $1.74 billion by 2007.

Global financial firms spend about 6 percent of their IT budgets on security; many have increased staff since 2001.

Corporate losses caused by spam will grow from nearly 10-fold from 2003 to 2007.

Most broadband users store confidential information on their computers but lack proper firewall protection.

Security concerns top list of barriers for online banking.

North America was the main source for global security incidents and attacks from the fourth quarter of 2002 through the first quarter of 2003.

U.S. consumers to lose $73.8 billion to identity theft.

Chinese developers see spike in security breaches.

More than half of Web shoppers want more secure payment options.

Storing data is the easy part; recovering data is another story.

Klez.E attacks have dropped over last year, but the virus remains one of the most popular.

Spam attacks increased 4 percent from February to March.

Nearly 50,000 Internet fraud incidents were reported in 2002.

Nearly one-third identity thefts lead to credit card fraud.

Just 42 percent of consumers think businesses handle personal information in a proper and confidential way.

Nearly one-third of virus attacks in February can be blamed on the Klez.E worm.

One in three companies would lose critical data or operational capability during a disaster because their recovery plans are not adequately funded.

Digital attacks against U.S., U.K. on the rise.

Less than half of companies have intrusion detection systems in place.

Many IT professionals expect military forces or terrorists to launch a large-scale cyberattack within two years.

The United States was the number-one target of hackers in 2002.

Protecting credit card information during online purchases is of concern to 92.4 percent of Web shoppers.

Damages from digital attacks total $8 billion in January.

Companies rank virus threats as top security priority for 2003.

Online auctions account for half of Internet fraud complaints.

Fridays and weekends are prime-time for hackers.

Retailers lose about 1 percent of transaction volume to credit card fraud.

Three percent of online sales will be lost because of credit card fraud.

A recent survey finds that investments in identity management technologies can pay off, but few companies are investing.

Security and business continuity a top priority for 29 percent of companies in 2003.

Most Web shoppers are concerned about their personal information being sold or stolen.

Of U.K. companies that allow remote access to company networks, 52 percent are worried about security problems.

More than 40 percent of companies spend 5 percent or more of their IT budget on security.

Internet attacks against public and private organizations jumped 28 percent from January to June 2002.

One in every 24 e-mail received by U.K. retailers contains a virus.

The vulnerability scanning and assessment market will thrive as CIOs seek security help outside the organization.

More government websites are posting privacy and security policies.

Just 30 percent of Canadian CEOs think their security measures are effective.

More than 80 percent of U.S. security professionals fear hacker attacks on their networks.

Nearly one-third of companies say they don’t have adequate plans for combatting cyberterrorism.

IT professionals fear a cyberattack by terrorists within two years.

Roughly 180,000 Internet-based attacks hit U.S. businesses in first half of 2002.

Nearly all consumers say disclosure is important for e-commerce websites.

Most online consumers are willing to trade personal info for rewards.

More than 49,000 complaints of Internet fraud filed in 2001.

Nearly 75 percent of U.S. websites have a privacy policy.

New markets push spending on corporate protection.

Chief security officers who report to the CFO make twice as much as those who report to the CIO.

Most (64%) people don’t pay attention to privacy policies.

More than two-thirds of e-retailers are taking extra precautions against fraud this year.

Reports on inside security breaches up 7 percentage points over 2000.

Many companies aren’t prepared for dealing with disruption.

Most marketing companies have a CPO; nearly half use consultants.

Employers look to employee Internet monitoring to stem liability and security issues.

Companies spend $140 million per year worldwide to monitor employee Internet, e-mail use.

Consumers say they are 12 times more likely to be defrauded online than offline.

Just 16 percent of managers and IT staffers surveyed said that their companies were members of an industry consortium that addressed privacy issues.

The secure content delivery market will reach $2 billion by 2005.

Security breaches occur at 85% of U.S. businesses and government organizations.

Increased awareness means that European and U.S. firms will boost security spending.

How much depends on what companies are willing to risk.

Increased awareness means that European and U.S. firms will boost security spending.

How much depends on what companies are willing to risk.

Spending on security will grow from $8.7 billion to $30.3 billion worldwide.

Consumers want companies to ask permission before taking personal data.

http://www.csoonline.com/metrics/index.cfm

Banks brace for cashpoint attack

Posted on November 11, 2004December 30, 2021 by admini

This fall the Global ATM Security Alliance (GASA) published what it says are the first international cyber security guidelines specifically tailored to cash machines. Experts see new dangers as legacy ATMs running OS/2 give way to modern terminals built on Microsoft Windows.

“The recommendations presented in this manual are essentially designed to provide a common sense approach to the rapidly changing threat model that the introduction to the ATM channel of the Windows XP and other common use operating systems, as well as the TCP/IP network protocol suite, has created,” said the manual’s author, Ian Simpson, in a statement.

The move comes one year after the Nachi worm compromised Windows-based automated teller machines at two financial institutions, in the only acknowledged case of malicious code penetrating ATMs. The cash machines, made by Diebold, were built on Windows XP Embedded, which suffered from the RPC DCOM security hole Nachi exploited. In response to the incident, Diebold began shipping new Windows-based ATMs preinstalled with host-based firewall software, and offered to add the program for existing customers.

Though ATMs typically sit on private networks or VPNs, supposedly-isolated networks often have undocumented connections to the Internet, or can fall to a piece of malicious code inadvertently carried beyond the firewall on a laptop computer.

Last year’s Slammer worm indirectly shut down some 13,000 Bank of America ATMs by infecting database servers on the same network, and spewing so much traffic that the cash machines couldn’t processes customer transactions.

The goal of the ATM cyber security best practices document, which has not been made public, and a related white paper developed by GASA, is “to be proactive in fighting what might be the next wave of ATM crime – namely cyber attacks,” said Mike Lee, founding coordinator of the group, in a statement.

GASA’s members include fraud prevention agencies, financial industry associations, the US Secret Service, Visa and MasterCard, and some ATM networks and manufacturers, including Diebold and NCR.

http://www.newsisfree.com/iclick/i,60511486,1393,f/

Microsoft to back customers in infringement cases

Posted on November 10, 2004December 30, 2021 by admini

The company said the protection extends to current and older versions of its software, including its Windows operating system, Office desktop software and SQL Server database. The company already offers unlimited protection to its volume license customers but is adding the indemnity for customers who buy its key products in other ways, such as from a computer maker or even off a retail shelf. “When we looked at things, there was no reason not to provide that coverage to all those folks as well,” said David Kaefer, director of intellectual-property licensing for Microsoft.

The protection covers four main types of claims: patent, copyright, trade secret and trademark. The protection extends to nearly all of Microsoft’s products, with the main exception being embedded versions of Windows, largely because customers are able to modify the code.

Of course, it’s not just altruism that motivates the software maker. The company plans to make indemnity a new plank in its “Get the Facts” campaign, which touts the advantages of Windows over Linux. Chief Executive Steve Ballmer talked about indemnity as a key differentiator during Tuesday’s shareholder meeting. “We enhance the intellectual-property indemnifications we give our customers,” Ballmer said at the meeting. “We can stand behind our products in a way that open source can’t because they have no one standing behind them.”

Kaefer said the argument is resonating with some customers who are concerned about liability. “More and more customers are realizing you don’t get what you don’t pay for,” he said.

Hewlett-Packard and Novell have offered liability protection to some Linux customers, but both Microsoft and analysts note that most of the protections from the Linux vendors are more limited.

Last year, Microsoft lifted a cap for its volume-licensing customers that had limited the dollar amount of protection Microsoft offered its customers against intellectual-property claims resulting from their use of Microsoft software.

Microsoft has been beefing up its own intellectual-property portfolio, a move that Kaefer said does make it easier for Microsoft to offer such protections. “The reason we are able to do this at all is because we have done some of the things that you have to do earlier in the process,” he said.

As part of the announcement, Microsoft highlighted two customers–Regal entertainment and ADC Telecommunications–that said that indemnity was key to their choice of Windows over Linux. “We simply aren’t interested in having to worry about potential legal risks of deploying Linux in this environment,” ADC Telecommunications manager Jamey Anderson said in a statement.

http://news.com.com/Microsoft+to+back+customers+in+infringement+cases/2100-1014_3-5445868.html?part=rss&tag=5445868&subj=news.1014.5

Boom times ahead for IT security profession

Posted on November 9, 2004December 30, 2021 by admini

Approximately 680,000 of this expanded workforce will work in Europe.

IDC analysed responses from 5,371 full-time information security professionals in 80 countries worldwide, with nearly half employed by organisations with $1bn or more in annual revenue. The web-based study is described as the first major study of the global information security profession ever undertaken.

On average survey respondents had 13 years work experience in IT and seven years specialised security experience. This wealth of skill is often well rewarded.

Around 10 per cent of the survey participants in both the US earned more than $125,000 per annum; 22 per cent of US residents who took part in the survey earned between $100,000-$120,000 a year (Europe 16 per cent).

At the other end of the scale, five per cent of security pros in the states and nine per cent in Europe earn less than $50,000.

In Asia, 60 per cent of security professionals earn less than $50,000.

Managers hiring security professionals (93 per cent) said certification was important in choosing potential recruits; but commercial awareness is also becoming increasingly important.

“The study shows a shift in the information security profession, indicating that business acumen is now often required along with technology proficiency,” said Allan Carey, the IDC analyst who led the study. “This widening responsibility means information security professionals not only have to receive a constant refresh of the best security knowledge but also must acquire a solid understanding of business processes and risk management to be successful in their roles.”

“With competing demands on industry and government to expand access to services and information, the highly trained and experienced information security professional must now be an active participant to fulfil stringent regulatory requirements and provide proactive solutions to circumvent emerging risks,” he added.

http://www.theregister.co.uk/2004/11/09/isc2_security_job_survey/

Small Vendors Issue Security Challenge To Large Competitors

Posted on November 9, 2004December 30, 2021 by admini

Their stated goal is to promote more consistent metrics for customers to evaluate products.

The situation, as these upstarts describe it, is a growing market for Web application security–which the Yankee Group tags at $2 billion over the next five years–and suspect claims from vendors about the capabilities of their products.

In a prepared statement, the foursome suggests that some vendors are selling security short. “We are united regarding the minimum criteria that any security product must meet to provide acceptable protection for mission-critical Web applications,” the companies state.

“It’s pretty remarkable that these companies have come together,” says James Slaby, an analyst with the Yankee Group.

http://www.informationweek.com/showArticle.jhtml;jsessionid=J3XAEQLVWKL4KQSNDBNCKHSCJUMEKJVN?articleID=52600320

CA gives anti-spyware a consumer face

Posted on November 8, 2004December 30, 2021 by admini

While the business-oriented products stand as updates from the anti-spyware applications marketed by PestPatrol before the CA buyout, the consumer package marks the first time the technology has been tailored specifically for home users by either company.

Sam Curry, vice president of eTrust security management at CA, said the company has identified more than 1,200 new strains of spyware over the last eight months–a sign of the growing threat of the nefarious software.

Spyware applications are typically installed without a user’s permission via Web browser exploits or e-mail programs, with the intent of surreptitiously tracking computer usage, stealing personal information or sending spam.

Among the primary changes CA said it made to the PestPatrol technology for business customers are improved reporting capabilities, faster spyware scanning tools and expanded customer support. The corporate version also provides security administration controls to manage protection for large numbers of desktops. In addition, executives said that CA has reworked the products’ licensing terms for companies.

The PestPatrol interface has been redesigned in the consumer package to make it easier to use by people who are not IT professionals, CA said. For instance, the Anti-Spyware r5 software, which will retail for $39, enables people to set up automated scanning schedules and receive reports on what has been fixed. That contrasts with a process where they would have to manually fix and test systems using a readout of what the software had found.

Curry said that consumers are finding that Spybot and other anti-spyware applications available for free download over the Internet can no longer tackle all varieties of spyware. He believes that customers will be willing to pay for tools that do a better job. “The most important thing for people to realize about spyware is that it doesn’t function like a virus, where you can find it and clean it off your computer fairly easily,” Curry said. “When you look at spyware, there could be hundreds more points of infection. It may not be as life or death to your computer as a virus, but there are certainly big implications about how personal a spyware attack can be.”

While many companies have identified spyware as a major concern, research shows that few are using technology specifically designed to combat the problem. In a nationwide survey of IT managers and executives released by Equation Research, 70 percent expressed growing concern over the issue, but fewer than 10 percent said they have installed anti-spyware software.

http://news.com.com/CA+gives+anti-spyware+a+consumer+face/2100-1029_3-5443428.html?part=rss&tag=5443428&subj=news.1029.5