Personal Data Security Breaches - 2000/2005

Another invaluable CRS report that I came across to, including detailed samples of all the data security breaches in between 2000 and 2005(excluding the ones not reported or still undergoing of course), covering :

- The accident
- Data publicized
- Who was affected
- Number of affected
- Type of data compromised
- Source of the info

Here are some cases worth mentioning as well :

1. Indiana University - malicious software programs installed on business instructor’s computer, November, 2005
2. University of Tennessee -inadvertent posting of names and Social Security numbers to Internet listserv, October, 2005
3. Miami University (Ohio) - report containing SSNs and grades of more than 20,000 students has been accessible via the Internet since 2002, September, 2005
4. Kent State University - five desktop computers stolen from campus, 100,000 people affected, September, 2005
5. University of Connecticut -hacking - rootkit (collection of programs that a hacker uses to mask intrusion and obtain administrator-level access to a computer or computer network)placed on server on October 26,2003, but not detected until July 20, 2005

Quite a huge number of exposed people, and 20% of the problem represents lost or stolen laptops or tapes, the rest is direct hacking of course. It's impressive how easy is to get access to sensitive, both personal and financial information though what is already stored somewhere else in a huge and plain-text database for sure. And that simply shouldn't be allowed to happen, or at least someone has to be held accountable for not taking care of the confidentiality of the information stored.

Technorati tags :
security,information security,id theft,security breach,security statistics

Continue reading →

FBI's 2005 Computer Crime Survey - what's to consider?

Yesterday, the FBI has released their Annual 2005 Computer Crime Survey, and while I bet many other comments will also follow, I have decided to comment on it the way I've been commenting on the U.S 2004’s "Annual Report to Congress on Foreign Economic Collection and Industrial Espionage" in previous posts. This one is compiled based on the 24, 000 participating organizations from 430 cities within the U.S, so look for the averages where possible :)

What are the key summary points, and what you should keep in mind?

- Attacks are on the rise, as always

That's greatly anticipated given the ever growing Internet penetration and the number of new users whose bandwidth power is reaching levels of a middle sized ISP. Taking into consideration the corporate migration towards IP based business infrastructure, and even the military's interest in that, it results in quite a lot of both, visible/invisible targets. My point is that, to a certain extend a new Internet user is exposed to a variety of events that are always static in terms of security breaches, or was it like that several years ago? Less 0day's, lack of client side vulnerabilities(browsers) the way we are seeing it today, and cookies compared to spyware were the "worst" that could happen to you. Things have changed, but malware is still on the top of every survey/research you would come across.

- The threat from within

Insiders dominate the corporate threatscape as always, and the average financial losses due to "Laptop/Desktop/PDA Theft", act as an indicator for intellectual or sensitive property theft that is actively quantified to a certain extend, though it is still mentioned in a separate section. As far as insiders and the responses given in here, "the threat you're currently not aware of, is the threat actually happening" to quote a McAfee's ad I recently came across to. Especially in respect to insiders.

- To report or not to report?

According to the survey "Just 9% said they reported incidents to law enforcement, believing the infractions were not illegal or that there was little law enforcement could or would do. Of those reporting, however, 91% were satisfied with law enforcement's response. And 81% said they'd report future incidents to the FBI or other law enforcement agencies."

The key point here is the lack of understanding of what a threat is, or perhaps what exactly should be reported, or why bother at all? And given that out of the 9% reporting 91% are satisfied I can simply say that, "If you don't take care of your destiny, someone else will".

Overall, you should consider that the lack of quality statistics is the result of both, the "stick to the big picture" research and survey approaches, or because of companies not interested/understanding what a security threat worth reporting actually is? I greatly feel the industry and the Internet as a whole is in need of a commonly accepted approach, and while such exist, someone has to perhaps communicate them in a more effective way. Broad and unstructured definitions of security, result in a great deal of insecurities to a certain extend, or have the potential to, doesn't they?

- Who's attacking them?

Their homeland's infrastructure and the Chinese one, as the top attacks originally came from " The U.S. (26.1%) and China (23.9%) were the source of over half of the intrusion attempts, though masking technologies make it difficult to get an accurate reading", and yes, Russia "of course".

Though, you should keep in mind that whenever someone sparkles a debate on certain country's netblocks attacking another country's one, it's always questionable.

- What measures are actually taken?

Besides actively investing in further solutions, and re-evaluating their current measures, what made me an impression as worth mentioning is :

- patching, whether the patch comes from a third-party or the vendor itself is something else, yes it's the reactive measure that could indeed eliminate "known" vulnerabilities, yet it's proactive approaches companies should aim at achieving

- keeping it quiet, as you can see the 3rd measure taken is to actually not report what has happened, wrong, both in respect to the actual state of security, and the potential consequences in case a sensitive info breach occurred and customers did the job of reporting and linking it.

- tracing back? I think it's a bit unrealistic in today's botnets dominated Internet, namely an enterprise might find out that some of its external port scans are coming from internal infected PCs. When attacked you always want to know where the hell is it coming from, and who's involved, and while entirely based on the attackers techniques put in place, I feel that close cooperation with ISPs in reporting the infected nodes should get the priority compared to tracing the attacks back. That greatly depends on the attack, its severity, and traceability of course.

To sum up, the bottom line is that, antivirus software and perimeter based defenses dominate the perception of security as always, companies are actively investing in security and would continue to do so. It's a very recent survey for you to use, or brainstorm on!

Technorati tags :
security,information security,security statistics,security trends,FBI

Continue reading →

Why we cannot measure the real cost of cybercrime?

At the end of 2005, a rather contradictive statement was made, namely, that the costs of cybercrime have surpassed those of drug smuggling? And while I feel it has been made in order to highlight the threats posed by today's cyber insecurities, I find it a bit of an unrealistic one.

Mainly because of :

- the lack of centralized database and approach to keep track of, and measure the costs of cyber crime
Centralization is useful sometimes, and so is standardization. My point is that, doesn't matter how many metrics I go through on a monthly basis. They all have had different approaches while gathering their data. Estimated or projected loses are a tricky thing the way Donald Trump's valuation is largely based on his name brand. In this very same way, if we were to quantify the losses of a worldwide worm outbreak posed by direct attacks of the availability and integrity of networks and hosts, it would always be rather unrealistic, yet hopefully scientifically justified to a certain extend!

I feel it's about time the industry appoints a watchdog with an in-depth understanding of the concept. A watchdog that has the open source intelligence attitude, and the law enforcement backup to diffentiate online identity theft next to dumpest diving, and both, soft and hard dollar losses out of an event.

- the flawed approaches towards counting the TOC costs
"We had out network hit by a worm attack, where 200 out of 1000 desktops got successfully infected resulting in 4 hours downtime of the 200 desktops, and with the department's $15 hourly rate it resulted in direct loss of productivity." Rather common approach these days, what isn't included is the time the IT/Security department spent fixing the problem, the eventually
increased infosec budget (given the department takes advantage of the momentum and asks for more), and and potential law suits that may follow by other companies whose systems have been attacked by any of the 200 infected ones. A security incident shouldn't be isolated when it comes to costs, yet it's the best approach to bring some accountability, though, it's totally unrealistic. The butterfly effect has its word in both the real, and the financial world as well.

- the hard to quantify intellectual property theft
Continuing my thoughts from the abovementioned opinion, if we were to count the IT/Security department's associated costs, as well as the loss of productivity next to the hourly rate, especially when there's been a theft of intellectual property is easy, yet, untrue. If we were to
even estimate the potential dollar losses of intellectual property theft due to security breaches, it would surpass the U.S budget's deficit and reach levels of a developing economy's GDP, I bet that! The current inability of the industry to successfully quantify the costs of intellectual property theft, results in a mare estimation of the real costs of the cyber crime act. In this case, it's more complex that some want to believe.

- lack of disclosure enforcement
More and more states(U.S only, painfully true but the world is lacking behind) are adopting breach disclosure laws with the idea to prevent successful use of the information, seek accountability from the organizations/enterprises, and, hopefully result in even more clear metrics on what exactly is going on in the wild. However, the lack of acceptance, and sometimes,
even the awareness of being hacked is resulting into the highly underestimated, and actual picture in respect to the real state of cyber crime today. The more disclosure enforcement, and actual awareness of the breaches, the better the metrics, understanding of where the threats are going, and accountability for the organizations themselves.

- survey and metrics should always be a subject to question

The way a research company gathers survey and metrics data should always be a subject to questions. Even highly respected law enforcement agencies surveys and research, clearly indicate similarities, though when it comes to financial losses, every organization has a different measurement approaches and understanding of the concept. That is why, in the majority of cases, they aren't even aware of the actual long-term, or soft dollar losses directly posed by a single security breach. Evaluating assets, and assigning dollar values to intellectual property is tricky, and it could both, provide a more realistic picture of the actual losses, or overestimate
them due ot the company "falling in love" with the intellectual value of its breached information.

- companies fearing shame do not report the most relevant events today, online extortion or DDoS attacks
No company would publicly admit complying with online extortionists, and no matter how unprofessional it may sound, a LOT of companies pay not to have their reputation damaged, and it's not just public companies I'm talking about. How should a company react in such a situation, fight back, have it's web site shut down resulting in direct $ losses outpacing the sum requested by extortionists, or complying with the request, to later on having to deal with issue again? How much value would a company gain for fighting back, or for publicly stating of having such a problem, and complying with it? What's more, should quantifying a successful DDoS attack on a E-shop also include the downtime effect for the ISP's customers, given they don't null route
the site of course? And who's counting all these counts, and how far would their impact actually reach?

- the umatelized sales of people avoiding shopping online
A topic that is often neglected when it comes to E-commerce, is the HUGE number of people that aren't interested in participating(though they have the E-ability to do so), mainly because of the fear posed by cyber crime, having their credit card data stolen etc. The current revenues of E-commerce in my point of view, are nothing compared to what they could be given the industry's leaders gently unite in order to build awareness on their actions towards improving security. I also consider these people as a cost due to cyber crime!

At the bottom line, drug addicts don't exist because of drugs, but because of the society, and it may be easier to execute phishing attacks than smuggle cocaine from Mexico to the U.S, but this is where the real $$$ truly is from my point of view - drugzZzZzZzZ...................:)

Technorati tags :
cybercrime,security,information security,ROSI

Continue reading →