Thursday, January 19, 2006

FBI's 2005 Computer Crime Survey - what's to consider?

Yesterday, the FBI has released their Annual 2005 Computer Crime Survey, and while I bet many other comments will also follow, I have decided to comment on it the way I've been commenting on the U.S 2004’s "Annual Report to Congress on Foreign Economic Collection and Industrial Espionage" in previous posts. This one is compiled based on the 24, 000 participating organizations from 430 cities within the U.S, so look for the averages where possible :)

What are the key summary points, and what you should keep in mind?

- Attacks are on the rise, as always

That's greatly anticipated given the ever growing Internet penetration and the number of new users whose bandwidth power is reaching levels of a middle sized ISP. Taking into consideration the corporate migration towards IP based business infrastructure, and even the military's interest in that, it results in quite a lot of both, visible/invisible targets. My point is that, to a certain extend a new Internet user is exposed to a variety of events that are always static in terms of security breaches, or was it like that several years ago? Less 0day's, lack of client side vulnerabilities(browsers) the way we are seeing it today, and cookies compared to spyware were the "worst" that could happen to you. Things have changed, but malware is still on the top of every survey/research you would come across.

- The threat from within

Insiders dominate the corporate threatscape as always, and the average financial losses due to "Laptop/Desktop/PDA Theft", act as an indicator for intellectual or sensitive property theft that is actively quantified to a certain extend, though it is still mentioned in a separate section. As far as insiders and the responses given in here, "the threat you're currently not aware of, is the threat actually happening" to quote a McAfee's ad I recently came across to. Especially in respect to insiders.

- To report or not to report?

According to the survey "Just 9% said they reported incidents to law enforcement, believing the infractions were not illegal or that there was little law enforcement could or would do. Of those reporting, however, 91% were satisfied with law enforcement's response. And 81% said they'd report future incidents to the FBI or other law enforcement agencies."

The key point here is the lack of understanding of what a threat is, or perhaps what exactly should be reported, or why bother at all? And given that out of the 9% reporting 91% are satisfied I can simply say that, "If you don't take care of your destiny, someone else will".

Overall, you should consider that the lack of quality statistics is the result of both, the "stick to the big picture" research and survey approaches, or because of companies not interested/understanding what a security threat worth reporting actually is? I greatly feel the industry and the Internet as a whole is in need of a commonly accepted approach, and while such exist, someone has to perhaps communicate them in a more effective way. Broad and unstructured definitions of security, result in a great deal of insecurities to a certain extend, or have the potential to, doesn't they?

- Who's attacking them?

Their homeland's infrastructure and the Chinese one, as the top attacks originally came from " The U.S. (26.1%) and China (23.9%) were the source of over half of the intrusion attempts, though masking technologies make it difficult to get an accurate reading", and yes, Russia "of course".

Though, you should keep in mind that whenever someone sparkles a debate on certain country's netblocks attacking another country's one, it's always questionable.

- What measures are actually taken?
Besides actively investing in further solutions, and re-evaluating their current measures, what made me an impression as worth mentioning is :

- patching, whether the patch comes from a third-party or the vendor itself is something else, yes it's the reactive measure that could indeed eliminate "known" vulnerabilities, yet it's proactive approaches companies should aim at achieving

- keeping it quiet, as you can see the 3rd measure taken is to actually not report what has happened, wrong, both in respect to the actual state of security, and the potential consequences in case a sensitive info breach occurred and customers did the job of reporting and linking it.

- tracing back? I think it's a bit unrealistic in today's botnets dominated Internet, namely an enterprise might find out that some of its external port scans are coming from internal infected PCs. When attacked you always want to know where the hell is it coming from, and who's involved, and while entirely based on the attackers techniques put in place, I feel that close cooperation with ISPs in reporting the infected nodes should get the priority compared to tracing the attacks back. That greatly depends on the attack, its severity, and traceability of course.

To sum up, the bottom line is that, antivirus software and perimeter based defenses dominate the perception of security as always, companies are actively investing in security and would continue to do so. It's a very recent survey for you to use, or brainstorm on!

Technorati tags :
,,,,