Security analysis means more than percentages

Reviewing e-security survey results can be enlightening, but look below the numbers in the report for more meaningful insights.

Cyber-stats can alert you to potential security holes in your firm. Piles of statistics are surfacing regarding cyber crime and the losses accumulating from poor security.

Some research and the statistics it generates is based on assumption and opinion, hopefully in the form of interactive models. Other studies are based on interviews and analysis. Still others apply a range of surveys from simplistic to sophisticated.

Along with percent signs that dot the reports are two vital and recurring terms: validity and reliability. Validity deals with measuring what is to be measured; the latter is associated with repeated measures yielding similar results. So in this case we must ask; are the e-security studies measuring what they should be, and are the respondents appropriate subjects to provide accurate information?

Often, you will find that statistics present widely disparate results; more questions arise than answers given. That's OK. In the e-security arena, the process of reviewing statistics and studying results is more productive than the exact incident or dollar levels that may be evident. By reviewing new and updated studies as they're reported, cross-validated impressions of current and new trends become evident.

Know the trends

So many computer crime incidents are surfacing in the media that trends are difficult to nail down. However, the 2000 Computer Security Institute/FBI Computer Crime and Security Survey points out several trends worth noting. Among them are:

-- cyber attacks continue from within and outside of corporate walls. A wide range of attacks have been discovered.

-- financial losses are increasing

-- information security technologies by themselves are insufficient defenses.

There should be no doubt to security executives and their CEOs that these trends will intensify, mandating substantial investment in security protection.

Released in spring 2000, the CSI/FBI study, now in its fifth year, is based on the responses of 643 corporate and government security practitioners. The sample reasonably represents of most industry sectors and company sizes, measured by number of employees and gross income.

The study shows notable increases in the use of intrusion detection security technologies compared to last year (50% in the 2000 study vs. 42% in 1999). Fully 70% of respondents found unauthorized computer system use, a significant increase from 1999. Of respondents reporting detection of this kind, 11% listed financial fraud, 17% data or network sabotage, 20% proprietary information theft, 25% outside system penetration, 27% denial of service, 71% unauthorized insider access, 79% employee Internet access abuse, and 85% viruses. Employees and insiders still remain a major threat.

With 93% of respondents reporting use of Web sites (and 43% of those e-commerce related), 32% did not know if there had been unauthorized access or misuse--a somewhat surprising and unfortunate admission. Those that did identify attacks reported a 29% increase in outside attacks from the previous year. The top two likely sources of attack were disgruntled employees and independent hackers, respectively. While the preponderance of respondents (85%) reported patching holes when intrusions were discovered, fully 44% did not report intrusions, and only 25% reported unauthorized intrusions to law enforcement.

Estimating financial losses from attack or misuse remains a daunting task. Suffice it to say the top two financial loss categories are proprietary information theft and financial fraud. Unless security resources are focused into these categories, expect far greater losses in the future.

Underneath all this data lurks an ever-increasing shortage of educated, skilled, and experienced e-security personnel. This shortage worsens weekly due to rapidly changing skillsets, increasingly complex and detailed knowledge requirements, and repeated losses from successful attack ultimately threatening business failure. Considering the reluctance to report perpetrations to law enforcement and low confidence in that avenue of resolution, investigative agencies also suffer from similar skill shortages.

Find the exceptional

More sophisticated security research coming up!

IS security education and the research that supports it is now becoming a recognized priority in the United States and increasingly in Europe. In fact, the National Security Agency has now designated 14 universities as Centers of Academic Excellence in Information Assurance Education (see http://www.nsa.gov/releases/COAE_2000.htm).

Plan on communicating with these institutions to assure actionable study results for more effective protection worldwide. Your organization also can actively participate in these studies as respondents, focus group contributors, or pilot testers.

From these sources you can expect more security research that offers validity and reliability. With quality research should come more anonymity and confidentiality, fewer public visibility concerns, and more accurate views of world security trends and specific techniques-all without vendor hype.

Another insightful, annual global security survey released in July 2000 polled 4,900 security professionals in 42 countries about security issues using e-mail and a secure Web site.

Important highlights from the results include 71% of respondents recognizing information security as a top priority, system downtime rising significantly in the past year due to security breaches or espionage, and only 28% of respondent companies using dial-back or secure modems within their operations for dial-in networking. Amazingly, 36% of respondents reported having no regular security policy reviews and 5% never reviewed their policies.

Respondents reported their top three security priorities for next year are network security, blocking unauthorized access, and increasing user security procedure awareness.

The results from this survey cross verify what was noted in the CSI/FBI study: security must include both technology and human surveillance. Dynamic evolution in technology attack techniques and revolutionary assault approaches melding psychology and expertise stress that all systems must remain alert.

Security policy review results in this study are very disappointing, particularly from those appointed to maintain protection. Considering the shortage of trained and experienced security staff, it is likely that "when you're up to your ass in alligators, its hard to think about draining the swamp."

A snapshot reveals much

A snapshot survey conducted by Applied Marketing Research Inc., of Shawnee Mission, Kan., also emphasizes important personal e-security behaviors. Interviews completed during the last week of June 2000 in New York City surveyed 300 people attending a computer conference regarding their protected computing practices.

While 87% of consumers and almost 95% of technology professionals reported using anti-virus software to protect their computers from viruses, only 37% of consumers and 69% of tech professionals update their anti-virus software at least monthly. Only 19% of consumers and almost 49% of those in the technology profession have installed a personal firewall on their computers.

In many ways, these results emphasize that, although many tech professionals and consumers feel they are protected from intrusion and attack, their efforts are woefully inadequate to protect them from current threats.

Converting information to action

All of these security survey results, while engaging, more importantly offer comparisons that enable organizations to see how they rate among current security practices.

For example, ask yourself the following questions: Has your organization reviewed its security policy in recent memory? If not, it's time to dig in and update. Does your firm present a series of security barriers to entry or depend on one or two entry challenges? If the latter is most descriptive, it's time to rethink the process. Have virus search engines and .dat files been updated systematically? If not, it's time to set and install a policy. Are breaches identified primarily from only one convenient source (e.g., logs)? If so, develop a more comprehensive target acquisition system. Have security job descriptions been developed and updated with personnel to obtain the qualified professionals needed? A security organizational infrastructure is necessary to complement your computer network.

Like survey results, security news can keep you abreast of daily incidents and threats. And it, too, can quickly overwhelm you with extraneous detail. Alerts, meanwhile, can help you to protect your firm from the daily rigor of keeping your shield up and maintaining their effectiveness.

The bottom line: Research studies offer you a great opportunity to gain a comprehensive and hopefully nonbiased security outlook with a view toward the future. You just need to know how to read between the percentages. //

Dr. Martin Goslar is principal analyst and managing partner of E-PHD.COM, an e-security research and analysis firm. He is also on the editorial board of the International Journal of Electronic Commerce and can be reached at Comments@E-PHD.COM.






0 Comments (click to add your comment)
Comment and Contribute

 


(Maximum characters: 1200). You have characters left.