Category: Statistics

The count of known viruses broke the 100,000 barrier and the number of new viruses grew by more than 50%. Similarly phishing attempts, in which conmen try to trick people into handing over confidential data, are recording growth rates of more than 30% and attacks are becoming increasingly sophisticated.

Also on the increase are the number of networks of remotely controlled computers, called bot nets, used by malicious hackers and conmen to carry out many different cyber crimes.

One of the biggest changes of 2004 was the waning influence of the boy hackers keen to make a name by writing a fast-spreading virus, said Kevin Hogan, senior manager in Symantec’s security response group. Although teenage virus writers will still play around with malicious code, said Mr Hogan, 2004 saw a significant rise in criminal use of malicious programs.

The financial incentives were driving criminal use of technology, he said. The Anti-Phishing Working group reported that the number of phishing attacks against new targets was growing at a rate of 30% or more per month. Those who fall victim to these attacks can find that their bank account has been cleaned out or that their good name has been ruined by someone stealing their identity.

This change in the ranks of virus writers could mean the end of the mass-mailing virus which attempts to spread by tricking people into opening infected attachments on e-mail messages.

The opening months of 2004 did see the appearance of the Netsky, Bagle and MyDoom mass mailers, but since then more surreptitious viruses, or worms, have dominated.

Mr Hogan said worm writers were more interested in recruiting PCs to take part in “bot nets” that can be used to send out spam or to mount attacks on websites.

Anti-spam firms report that, in many cases, legitimate e-mail has shrunk to less than 30% of messages.

In the past, threats to smart phones have been largely theoretical because the viruses created to cripple phones existed only in the laboratory rather than the wild.

On the positive side, Finnish security firm F-Secure said that 2004 was the best-ever year for the capture, arrest and sentencing of virus writers and criminally-minded hackers.

http://news.bbc.co.uk/1/hi/technology/4105007.stm

Over the next two years, more than half of U.S. and European multinational companies expect to boost their spending on compliance by 23 percent, according to a new survey of business executives by management consultant PricewaterhouseCoopers.

Nearly all respondents said they plan to make improvements to their company’s compliance efforts, with the average expenditure rising 9.9 percent.

But 44 percent of senior executives said their companies do not have a clear view of its total compliance spending.

Even at companies that do say they have a clear view, executives likely aren’t accounting for other costs, such as those for remediation, penalties, fines, lost revenue and lost management time.

Thirty-two percent of executives described their compliance programs as “very efficient,” while 59 percent rated their programs as “somewhat inefficient.”

The Sarbanes-Oxley Act, passed in 2002, is designed to prevent financial malpractice and accounting scandals. A key provision of the law, Section 404, which took effect Nov. 15, requires publicly traded companies to put in place controls over the flow of financial information.

“Companies are spending significant sums of money–even more than they realize–in order to improve compliance effectiveness and efficiency, but executives are finding that they are not receiving the return on investment they expected,” Dan DiFilippo, head of governance and compliance issues at PricewaterhouseCoopers, said in a statement. “The risks are just too great for companies to operate with ineffective compliance programs.”

External requirements and regulations account for 74 percent of total compliance costs, according to the survey.

U.S. multinationals spend a higher percentage on external requirements than their European counterparts, while European companies spend a higher percentage on compliance with internal guidelines, including ethics rules, codes of conduct and risk management rules. In the United States, compliance with Sarbanes-Oxley regulations accounts for 54 percent of total compliance spending. In Europe, that figure is 12 percent.

http://news.com.com/Companies+dig+deep+for+ethics+compliance/2100-1014_3-5465982.html?part=rss&tag=5465982&subj=news.1014.5

Two-thirds of users say they don’t get computer security training at work.

Infosec jobs will reach an estimated 2.1 million in 2008.

Very few companies are complying with CAN-SPAM Act.

Nearly two-thirds of enterprises use commercial spam filtering software or appliances.

One in 10 companies has not tested its disaster recovery systems in more than a year.

Congress plans to allocate $3.6 billion for first responders in 2005.

More than one-third of companies do not have an integrated, comprehensive BC/DR plan.

Coast Guard sees budget jump more than $700 million for FY 2005.

Phishing attacks grow in number, and their prey have not wised up.

E-mail archive software revenues doubled from 2003 to 2004.

Survival time for unpatched Windows PCs cut in half.

Federal IT security spending for fiscal year 2005 shows just 2 percent increase.

Although many companies measure security performance, two-thirds don’t measure ROI for risk management.

Product and financial-related messages rank as top spam categories for April.

U.S. consumers identify top five potential sources of ID theft.

Training IT staff in basic security can reduce breaches, but it’s not for everyone.

Spim (IM Spam) messages will total 1.2 billion messages in 2004.

Worms and blended threats accounted for 43 percent of Internet attack activity between July and December 2003.

Online consumers trust their employers more than any other organization.

Spam will account for more than half of all e-mail messages in 2004, costing businesses billions.

MyDoom outbreak hits specific websites, leaves rest of Net undisturbed.

Nearly one in five U.S. consumers know a victim of online credit card fraud.

Identity theft and fraud cost Americans some $437 million in 2003.

Most online consumers believe their passwords are secure, but almost half of them never change their passwords.

Identity theft and credit card theft top consumer fraud fears this holiday season.

The United States leads the world in e-commerce fraud, generating 47.8 percent of worldwide fraudulent transactions.

Nearly three in four health care companies don’t bother to justify information security spending.

Uncle Sam seeks IT workers with security clearance and basic programming skills.

More digital attacks originate from Brazil than anywhere else; so far the 2003 count stands at more than 95,000 digital attacks.

Product related e-mails account for 20 percent of all spam, but Internet related messages show biggest increase.

Business Process Management tools gain traction in the enterprise.

The FTC projects 210 million complaints reported to its identity theft clearinghouse by year-end 2003.

Businesses and consumers lose more than $50 billion to identity theft over the last five years.

A majority of U.S. companies did not have formal plans in place to handle recent blackouts in the eastern United States.

The majority of Fortune 1000 execs are better prepared than they were two years ago to recover from a disaster.

Message security market will grow to $1.1 billion by 2007.

Many PDA users keep sensitive business information on their PDAs.

More than one-third of Canadians say their personal information has been compromised online.

Web application security products and services market to hit $1.74 billion by 2007.

Global financial firms spend about 6 percent of their IT budgets on security; many have increased staff since 2001.

Corporate losses caused by spam will grow from nearly 10-fold from 2003 to 2007.

Most broadband users store confidential information on their computers but lack proper firewall protection.

Security concerns top list of barriers for online banking.

North America was the main source for global security incidents and attacks from the fourth quarter of 2002 through the first quarter of 2003.

U.S. consumers to lose $73.8 billion to identity theft.

Chinese developers see spike in security breaches.

More than half of Web shoppers want more secure payment options.

Storing data is the easy part; recovering data is another story.

Klez.E attacks have dropped over last year, but the virus remains one of the most popular.

Spam attacks increased 4 percent from February to March.

Nearly 50,000 Internet fraud incidents were reported in 2002.

Nearly one-third identity thefts lead to credit card fraud.

Just 42 percent of consumers think businesses handle personal information in a proper and confidential way.

Nearly one-third of virus attacks in February can be blamed on the Klez.E worm.

One in three companies would lose critical data or operational capability during a disaster because their recovery plans are not adequately funded.

Digital attacks against U.S., U.K. on the rise.

Less than half of companies have intrusion detection systems in place.

Many IT professionals expect military forces or terrorists to launch a large-scale cyberattack within two years.

The United States was the number-one target of hackers in 2002.

Protecting credit card information during online purchases is of concern to 92.4 percent of Web shoppers.

Damages from digital attacks total $8 billion in January.

Companies rank virus threats as top security priority for 2003.

Online auctions account for half of Internet fraud complaints.

Fridays and weekends are prime-time for hackers.

Retailers lose about 1 percent of transaction volume to credit card fraud.

Three percent of online sales will be lost because of credit card fraud.

A recent survey finds that investments in identity management technologies can pay off, but few companies are investing.

Security and business continuity a top priority for 29 percent of companies in 2003.

Most Web shoppers are concerned about their personal information being sold or stolen.

Of U.K. companies that allow remote access to company networks, 52 percent are worried about security problems.

More than 40 percent of companies spend 5 percent or more of their IT budget on security.

Internet attacks against public and private organizations jumped 28 percent from January to June 2002.

One in every 24 e-mail received by U.K. retailers contains a virus.

The vulnerability scanning and assessment market will thrive as CIOs seek security help outside the organization.

More government websites are posting privacy and security policies.

Just 30 percent of Canadian CEOs think their security measures are effective.

More than 80 percent of U.S. security professionals fear hacker attacks on their networks.

Nearly one-third of companies say they don’t have adequate plans for combatting cyberterrorism.

IT professionals fear a cyberattack by terrorists within two years.

Roughly 180,000 Internet-based attacks hit U.S. businesses in first half of 2002.

Nearly all consumers say disclosure is important for e-commerce websites.

Most online consumers are willing to trade personal info for rewards.

More than 49,000 complaints of Internet fraud filed in 2001.

Nearly 75 percent of U.S. websites have a privacy policy.

New markets push spending on corporate protection.

Chief security officers who report to the CFO make twice as much as those who report to the CIO.

Most (64%) people don’t pay attention to privacy policies.

More than two-thirds of e-retailers are taking extra precautions against fraud this year.

Reports on inside security breaches up 7 percentage points over 2000.

Many companies aren’t prepared for dealing with disruption.

Most marketing companies have a CPO; nearly half use consultants.

Employers look to employee Internet monitoring to stem liability and security issues.

Companies spend $140 million per year worldwide to monitor employee Internet, e-mail use.

Consumers say they are 12 times more likely to be defrauded online than offline.

Just 16 percent of managers and IT staffers surveyed said that their companies were members of an industry consortium that addressed privacy issues.

The secure content delivery market will reach $2 billion by 2005.

Security breaches occur at 85% of U.S. businesses and government organizations.

Increased awareness means that European and U.S. firms will boost security spending.

How much depends on what companies are willing to risk.

Increased awareness means that European and U.S. firms will boost security spending.

How much depends on what companies are willing to risk.

Spending on security will grow from $8.7 billion to $30.3 billion worldwide.

Consumers want companies to ask permission before taking personal data.

http://www.csoonline.com/metrics/index.cfm

Failure to patch and update systems effectively after the identification of known threats is the single largest operational risk UK-based companies with operations overseas and more than 5,000 employees.

A third of the sample of 40 senior UK-based IT security personnel said it took more than six hours to contain a new threat across their organization.

A quarter (25 per cent) saw Distributed Denial of Service (DDOS) attacks as the single largest risk to their business, whilst laptop and Personal Digital Assistants (PDA) theft was the key concern for 8.3 per cent of respondents.

Application-level threats are by far the most significant emerging threat for large companies this year, with 58 per cent of the sample stating that attacks against enterprise apps gave them the fear.

The Sarbanes-Oxley Act is seen as having the most impact on enterprises’ information security management planning in 2004 with 36 per cent of the sample giving this a top rating.

BS7799-2:2002, the government’s gold standard for information security, came in third with just 19 per cent even though it was rated as the best framework for defining companies’ Information Security Management Systems by the security pros quizzed by NetSec.

David Howorth, sales director of NetSec UK Limited, commented: “The findings illustrate that large enterprises already recognise that they are buckling under the strain of the workload created by new vulnerabilities and threats.

http://www.xatrix.org/article3680.html

In a US survey of IT managers and executives, 70 percent expressed growing concern over spyware, yet less than 10 percent have installed anti-spyware software, according to a statement issued by Webroot, the Boulder, Colorado, security software company that commissioned the survey. The survey was conducted by Equation Research.

The disconnect appears to come from slow realisation of the problem and the need to put out fires before trying a comprehensive approach, said Richard Stiennon, vice-president of threat research for Webroot. “Spyware is insidious and has been installing itself for the last two or three years,” Stiennon said. “But now it’s at a flash point, where IT managers are finding computer systems are crashing, or it takes forever for systems to boot up. And when they investigate the problem, they’re finding it’s spyware.

The first response is to use the first tool you can as a point solution…but because a one-to-one [software] solution is too costly over time, they’re beginning to look at pushing out solutions to every desktop.”

The vast majority of executives and IT managers surveyed, 96 percent, feel that their existing antivirus and firewall software protect them from outside threats, according to the study. “They’re thinking that spyware is not a threat to their security but just a threat to their productivity,” Stiennon said. “That’s how they felt about spam in the beginning, too.”

However, 82 percent of those surveyed said their desktops are currently infected with spyware. A third of respondents said that spyware has been on the rise in the past six months.

Last year, the National Cyber Security Alliance said that 91 percent of 120 individuals participating in a study had spyware loaded on their computers. And virtually none of the participants realised spyware could be transmitted and installed via file-sharing programs.

http://news.zdnet.co.uk/internet/security/0,39020375,39171738,00.htm

The latter, which was rated as the top obstacle to effective information security, was not even on the radar in 2003 when “budget constraints” was the top challenge.

On a more positive note, companies confident about their information security were more likely to have security buy-in at the executive level.

Only 20% of respondents strongly agreed that information security is a CEO-level priority; 34% agreed, 25% were neutral and 20% disagreed or strongly disagreed. For those classified as “confident respondents,” 34% said they strongly agree that data security is a CEO-level priority, while 36% agreed.

“All the CEOs say the right thing — security is important — but when you look at the stats, things like spending, [they’re] not spending like they say they will,” Kaufield said. “That is the disconnect that still seems to be apparent.”

In fact, 61% of the respondents said IT security spending will go up in 2004, and 69% said 2005 will see more spending than 2004.

Numbers like these make Richard Reiner, CEO of FSC Internet Corp., a security solutions provider in Toronto, a tad suspicious of respondents’ truthfulness. “I would suppose that there is still a trend for the individual to answer these questions to put a positive rather than negative face on things,” Reiner said. But Reiner said there are organizations in Canada that do a good job with IT security — financial institutions, insurance companies and telecoms — and “probably don’t need to increase their info-sec spending.”

He added, however, that the Canadian retail sector is a different story. Recently he had a conversation with an executive from a “reasonable-sized” retailer who told Reiner his company had no one responsible for IT security, no IT security budget and no IT security policies.

http://www.computerworld.com/securitytopics/security/story/0,10801,96821,00.html