CyberSecurity Institute

The charts on the following pages reflect first results from the Security Capability Model, a survey tool codeveloped by CSO and Carnegie Mellon University’s CERT Coordination Center (CERT/CC) to help respondents compare their security processes—particularly pertaining to information security—with those of other organizations.

The Security Capability Model obviously draws some inspiration from the Capability Maturity Model (CMM), a rigorous tool for process management in software application development created by CMU’s well-known Software Engineering Institute (SEI).

They don’t yet feel there’s a long enough history” to clearly state what constitutes “mature” information security practices.

Methodology The Security Capability Model survey was posted online at CSO’s website and at the CERT website.

The industries most heavily represented in the response base were finance/banking/accounting (14%), health care/pharmaceutical (12%), manufacturing (11%) and government (10%).

In lieu of attempting an absolute standard for correct or mature practices (though a variety of those already exist elsewhere, ranging from ISO standards to SEI’s own Octave risk management methodology), the model provides the opportunity to benchmark against others in 22 specific practices.

One chart presents the full survey results, grouping the practices under four headings: managing risks, setting policies, securing systems and networks, and handling corporate security.

Looking at the first practice area on the chart, 60 percent of the total response base said they have a process in place for conducting regular vulnerability assessments.

For comparison, the model also measures corporate security capability in a few areas outside of infosec: facility access, business continuity plans, employee awareness training and background checks.

Allen says more capable—and successful—organizations are those treating security as a business objective; these companies achieve regulatory compliance by documenting existing processes, rather than by scrambling to jury-rig new processes to meet the letter of the law.

http://www.csoonline.com/read/010105/survey.html

The count of known viruses broke the 100,000 barrier and the number of new viruses grew by more than 50%. Similarly phishing attempts, in which conmen try to trick people into handing over confidential data, are recording growth rates of more than 30% and attacks are becoming increasingly sophisticated.

Also on the increase are the number of networks of remotely controlled computers, called bot nets, used by malicious hackers and conmen to carry out many different cyber crimes.

One of the biggest changes of 2004 was the waning influence of the boy hackers keen to make a name by writing a fast-spreading virus, said Kevin Hogan, senior manager in Symantec’s security response group. Although teenage virus writers will still play around with malicious code, said Mr Hogan, 2004 saw a significant rise in criminal use of malicious programs.

The financial incentives were driving criminal use of technology, he said. The Anti-Phishing Working group reported that the number of phishing attacks against new targets was growing at a rate of 30% or more per month. Those who fall victim to these attacks can find that their bank account has been cleaned out or that their good name has been ruined by someone stealing their identity.

This change in the ranks of virus writers could mean the end of the mass-mailing virus which attempts to spread by tricking people into opening infected attachments on e-mail messages.

The opening months of 2004 did see the appearance of the Netsky, Bagle and MyDoom mass mailers, but since then more surreptitious viruses, or worms, have dominated.

Mr Hogan said worm writers were more interested in recruiting PCs to take part in “bot nets” that can be used to send out spam or to mount attacks on websites.

Anti-spam firms report that, in many cases, legitimate e-mail has shrunk to less than 30% of messages.

In the past, threats to smart phones have been largely theoretical because the viruses created to cripple phones existed only in the laboratory rather than the wild.

On the positive side, Finnish security firm F-Secure said that 2004 was the best-ever year for the capture, arrest and sentencing of virus writers and criminally-minded hackers.

http://news.bbc.co.uk/1/hi/technology/4105007.stm

And while technology to combat such threats has improved, experts concede that’s not enough to address what’s bound to emerge in the coming year.

“The bottom line is, there is no silver bullet technology,” said Gregg Mastoras, senior security analyst at security vendor Sophos Inc. “I just don’t think users are educated enough when they are on machines and what they are doing with it.”

The past year saw more industry attention to security: Microsoft Corp. upgraded its flagship Windows XP operating system, closing many loopholes and turning on a built-in firewall to thwart attacks. America Online Inc. gave away free security tools, and computer makers began installing software to combat spyware.

Dozens of products and services were developed to attack “phishing” — e-mail pretending to be from trusted names such as Citibank or Paypal, but directing recipients to rogue sites.

But developers of malicious code have gotten better at automating their tools, as well as sharing information about vulnerabilities and techniques to exploit them through underground message boards and chat rooms, said Mark Rasch, chief security counsel for Solutionary Inc.

No longer are bragging rights the primary motive.

“It used to be cool to bring down sites, almost (like) graffiti for the 21st century,” said Arthur Coviello Jr., chief executive for RSA Security Inc. “Today’s worms and viruses are far more detailed, and specific attacks are directed at individuals and businesses for the purpose of economic, ill-gotten gains.”

Virus writers have found new ways to infiltrate computers and networks, bypassing the protections inspired by their earlier methods of attack.

For instance, with more network administrators blocking attachments to stop viruses from spreading via e-mail, hackers managed in June to covert popular Web sites into virus transmitters by taking advantage of known flaws with Microsoft products.

They’ve also used viruses like “Mydoom” to deposit programs that let them take over infected PCs — and then use them to relay spam or launch attacks on Web sites like Microsoft’s. Ninety percent of viruses in 2004 carried a “backdoor” mechanism, compared with less than half in 2003, said Alfred Huger of Symantec Corp.

And once they’ve commandeered such PCs, they form networks of “zombies.” Spammers buy access to these networks so they can send e-mail that appears to come from legitimate home computers, making them harder to tag as junk. “They are well organized on the black market,” said John Levine, co-author of “The Internet for Dummies.”

Much of the malicious code appears to originate in countries without adequate laws to prosecute, experts say. Meanwhile, law enforcement agencies and service providers are only beginning to establish guidelines for jointly chasing suspects who can move about with stealth in a medium that knows no borders.

Security experts rank phishing and spyware as the greatest threats for 2005, given how clever their developers have gotten in the past year. Unlike spam pitching relatively cheap products like Vioxx, phishing scams can quickly drain entire bank accounts of unsuspecting users. The number of rogue sites used for such scams grew sevenfold in just four months — to 1,518 in November, from 221 in July — according to Websense Inc

http://www.securityfocus.com/news/10215