It’s a quagmire.
No, not Iraq. The Internet. The war against hackers has been going on for decades and we are no closer to pulling out than we were when Kevin Mitnick was breaking into Ma Bell’s mainframes in the early ’80s.
So, how are we really doing in terms of computer security? Scanning the news, it looks like we are under constant attack. But you can’t really get a clear picture by reading about one new worm or security patch at a time. You need to get a broader view which shows the problems and successes over a longer period of time. When you do that, you see that, although hackers are continually becoming more sophisticated, the security defenses are building up even faster.
Last year actually showed a slowing down in the exponential damage increases that had taken place the previous few years.
The picture is not completely rosy, however. To get a better understanding of the losses and gains, let’s take a look at key points from various security reports published last year and see what they can tell us.
To begin with, although the number of attacks is not decreasing, they are doing less damage.
The eighth annual Computer Crime and Security Survey issued by the Computer Security Institute along with the FBI’s San Francisco Computer Intrusion Squad last year, showed a slight drop in the percentage of companies experiencing unauthorized computer use: 56 percent compared to 60 percent the previous year. This was the lowest figure in five years.
The total number of significant security incidents remained approximately the same, but the financial losses reported by the survey’s 530 respondents dropped by more than half compared to the previous year — from $455 million to $202 million — and was well below the damage figures for 2000 and 2001 as well.
The breakdown on losses in the FBI/CSI report also showed a shift in the type of losses. The biggest drop was in the area of financial fraud, which fell from $116 million all the way to $10 million. Theft of proprietary information caused the greatest losses, $70 million, but was down from $171 million in 2002.
Although fewer organizations experienced Denial-of-Service attacks, this threat moved up into the number two spot, in terms of damage, growing from $18 million to $66 million. Viruses held the number three spot at $27 million, down from $50 million.
Symantec Corp. recently published its bi-annual Internet Security Threat Report. Symantec has 20,000 sensors monitoring network activity in 180 countries. This four-part report summarized and analyzed what was found on those sensors during the first six months of the past year. It showed that attacks are becoming much more sophisticated in several ways. The number of blended threats — ones that use multiple techniques — grew by 20 percent compared to the previous year.
Attackers also were striking sooner, once a vulnerability was discovered. For example, the MSBlaster worm, which caused as much as $2 billion in damages over an 8-day period, hit a mere 26 days after Microsoft announced the vulnerability and released the patch. And 39 percent of all new attacks were hitting targets which had become known within the previous six months.
So what is behind this turning of the tide?
Companies are getting serious about security. It is no longer just a concern for the CIO.
”The cyber security readiness of our private infrastructures requires top down leadership,” says Eric Benhamou, chairman of 3Com Corp. ”Today, more than ever, the job of CEOs and other senior executives includes assessing the risks of information systems and instituting organizational, policy and budgetary mechanisms to mitigate these risks.”
Benhamou is not the only one who feels this way.
In December, the Business Software Alliance (BSA) and the Information Systems Security Association (ISSA) released the results of an online survey completed by 1,716 members of the ISSA in the latter half of October. The questions dealt, not with attacks, but with what companies were doing to be prepared for them.
The survey showed, of course, that virus protection and firewalls are nearly universal, with e-mail filtering and intrusion detection systems running not far behind. But it also found increasing security awareness and activities in the respondents’ organizations. In fact, 78 percent said their organization was now better able to withstand a major attack than it was 12 months earlier, while only 3 percent said they are more vulnerable.
Security was being beefed up with the knowledge and support of upper management.
The survey also showed that 77 percent of the organizations had a formal security plan in place, and 96 percent of those plans had been approved by top management. At 39 percent, information security was an issue that involved active participation by the board of directors, the CEO and/or senior management on an ongoing basis.
These studies just present a small sampling of the overall worldwide computer community, so they are limited in what they can tell us. Nevertheless, at this point it appears that the tide is finally turning after years of steady losses.
Does this mean we can start relaxing? No, just the opposite. We must step up security activities.
The attacks are getting faster and more sophisticated. There is increasing evidence of attacks coming from organized groups, possibly with government sponsorship, rather than kids working out of their parents basements. The only way these attacks are being held in check is through better and more widely-deployed defenses. And, for the foreseeable future, that will continue to be the only effective strategy.
”Cyber crimes and other information security breaches are widespread and diverse,” says CSI director Chris Keating. ”Clearly, more must be done in terms of adherence to sound practices, deployment of sophisticated technologies, and most importantly adequate staffing and training of information security practitioners in both the private sector and government.”