Category: Statistics

Nearly 500 computer security professionals in US corporations, government agencies, financial institutions, medical institutions and universities responded to the 2004 survey, with 53 per cent reporting that their organization experienced unauthorized use of computer systems during the prior 12 months – down from 56 per cent in 2003.

Thirty-five per cent believed they had not been breached, and 11 per cent said they didn’t know.

Overall financial losses totaled out to $141m for the 269 respondents willing to quantify their losses, down significantly from 251 respondents reporting $202m in losses in 2003.

Reported losses to intellectual property theft plummeted to $11m in 2004, putting denial of service attacks in the number one spot as the most expensive computer crime, allegedly causing $26m of the total losses.

Twenty-eight per cent of the respondents said their organization had insurance policies to help manage cybersecurity risks.

Despite federal government efforts to encourage information sharing between industry and the Department of Homeland Security, the survey “detected no increase in the disposition to share information about security intrusions,” according to the report.

The percentage of companies suffering intrusions who reported them to law enforcement dropped from 30 per cent to 20 per cent; the most common reason for keeping an intrusion quiet was fear of negative publicity, a factor for 51 per cent of the companies that failed to report a breach.

While comparisons with previous years may be enlightening, the CSI/FBI survey is decidedly unscientific: the sample pool is self-selected from a panel of computer security professionals. CSI director Chris Keating cautioned against drawing overly optimistic conclusions from the downward trends reported in the study. “Obviously, computer crime remains a serious problem and some kinds of attacks can cause ruinous financial damage,” Keating said in a statement. We don’t believe that all organizations maintain the same defenses as our members – financial damages for less protected organizations are almost certainly worse.”

More info: http://www.theregister.co.uk/2004/06/11/csi_fbi_computer_intrusion/

The Computer Security Institute’s survey of security professionals at nearly 500 companies found that damages related to cyberattacks declined, reaching about $290,000 per company versus $400,000 per company a year ago.

The report, conducted in cooperation with the FBI, also said respondents thought denial-of-service attacks outpaced intellectual property theft as the most costly type of information threat. Such a shift may indicate that companies are shoring up internal-network defenses, said Robert Richardson, editorial director for CSI and an author of the report. “If you get more effective in protecting what is inside your networks, then (attackers) have to resort to other things,” he said. “One thing you can resort to is denial-of-service attacks.”

Unlike thefts, which require an attacker to break into a system, DoS attacks typically involve an online miscreant sending a flood of data to a Web site to prevent others from accessing the site. This is the first time DoS attacks have topped the list of threats.

The survey, which measures responses mainly from information technology managers who work for companies that are CSI members, is considered an indicator of general trends but not a reliable measure of specific detail, said Richardson. “You have to be careful in general of results of this kind,” he said. “It highlights a lot of interesting things, but it also raises questions that can’t be answered by the data.”

Most companies kept security functions inside the company, with only 12 percent of those surveyed indicating they outsourced more than 20 percent of security procedures. Larger companies typically benefited from economies of scale and paid less per employee for security, the survey found. Companies with annual sales of more than $1 billion typically paid a little more than $100 per worker on security, while companies with revenue of less than $10 million spent an average of $500 per worker.

The survey also indicated that more companies are interested in computer security because of new government regulations. The financial, utility and telecommunications sectors believe that the Sarbanes-Oxley Act, which requires a company’s executives to be accountable for their financial statements, has resulted in management focusing on information security, Richardson said. This is the first year that the survey asked companies about the effect of the law.

More info: http://news.com.com/Survey%3A+Security+efforts+paying+off/2100-7355_3-5230787.html?tag=nefd.top

A majority of security executives surveyed said their companies don’t have plans to cope with an unconventional terrorist attack, even though most believe that a terrorist attack of some kind is likely to occur in the coming months, according to the results of a poll released by CSO magazine today.

The survey of 476 chief security officers and senior security executives found that 60% believe that a terrorist attack is likely in Boston or New York, which are hosting the Democratic and Republican political conventions this summer, respectively. While 63% of CSOs said their companies have planned for conventional attacks such as bombings or hostage taking, 61% said they haven’t planned for unconventional attacks using chemical, biological or nuclear weapons, according to the magazine.

The online survey of CSO subscribers was conducted between April 27 and May 18, 2004, and has a 4.5% margin of error.

CSO subscribers were asked their opinions on a number of issues, including terrorism, politics, IT security policy and purchasing decisions.

While planning for unconventional terrorist attacks is rare, the CSOs reported much better preparation for threats such as cyberattacks, natural disasters and violent employees.

Ninety-four percent of those surveyed said they have contingency plans in place for natural disasters and 86% for cyberattacks. Eighty percent said their companies are prepared for attacks from violent employees or former employees. Indeed, the survey showed that companies are quick to slam the door on former employees.

Seventy-four percent of those surveyed block network access to e-mail and critical documents within one business day of employees being fired or leaving a company, and 81% block physical access within one business day.

The theft of intellectual property or other proprietary information is also a top concern of CSOs, with 91% saying that managing access to critical information and documents is either “extremely important” or “very important.”

More info: http://www.computerworld.com/securitytopics/security/story/0,10801,93741,00.html

Five new viruses released in May made Sophos’s Top 10 for the month. Included are Sasser, Netsky-Z, Sober-G, Bagle-AA, and Lovgate-V, the company said.

Sasser led the pack in the number of infected machines reported. Sophos found a total of 959 new viruses on the Internet in May, the highest number since December 2001. The number includes new viruses that were variants of older viruses.

More info: http://www.informationweek.com/story/showArticle.jhtml?articleID=21401332

The company found that Trojans, typically installed surreptitiously by worms or spyware, exploit vulnerabilities to bypass normal email routing and drop spam messages directly into end user machines.

Many of the most well-publicised worm attacks in recent months were launched expressly to install spam Trojans on unsuspecting end users’ machines, waiting to be used at a later date as a spam delivery relay, Sandvine warned.

The report also found that the behaviour of spam Trojans taxes ISPs’ infrastructures and, in the case of smaller ISPs, creates perceptions that some networks are generating more than their fair share of spam. “Subscribers’ in-boxes are bombarded daily and, while spam filters can provide an effective treatment, the scale and scope of the problem means that additional remedies are needed,” said Marc Morin, co-founder and chief technology officer at Sandvine, in a statement.

“As a complement to existing mail server and client-based tools, service providers need to arm themselves with network-based anti-spam defences.”

More info: http://www.vnunet.com/news/1155583

The release accompanying the survey has it differently.

“Practitioners from Deloitte’s Global Financial Services Industry practice conducted face-to-face interviews with senior information technology executives of the top 100 global financial services organizations (sic),” it says. The survey claims that the results, published this month, “provide a global benchmark for the state of security in the financial sector.” Did the company actually speak to representatives from the top 100?

Kevin Shaw, Leader Security Services Group – Asia Pacific for the company’s Enterprise Risk Services, said: “What we can say is that interviews with senior information technology executives of top 100 global financial services organizations (sic) were conducted and that the sample includes 31 of the top 100 global financial services institutions.” He said four Australian banks were among those interviewed but refused to name them.

“I am sure that you will understand that respecting the confidentiality of those who were so kind as to participate is very important to us, and so unfortunately, we cannot denote the true number of organizations (sic) that have participated in the survey,” Shaw said.

“If we indicate the number of organizations, (sic) people may start to reverse engineer the number and make assumptions about who participated. This could have impact on two levels, one being that unfair assumptions are made leading to potentially erroneous conclusions, and the other in that they circumvent our intent and promise of allowing organizations (sic) to remain anonymous.”

Last year’s survey had some question marks over it as well. The company claimed the participants represented 35 percent of the top 500 global financial services organisations, which would have meant that 175 companies of the top 500 had been interviewed. However, when asked about it, Deloitte admitted that the facts were that 35 percent of the top 50 global financial services organisations – meaning 17 or 18 – had been involved.

More info: http://www.smh.com.au/articles/2004/05/28/1085641687991.html