Yesterday, the FBI has released their Annual 2005 Computer Crime Survey, and while I bet many other comments will also follow, I have decided to comment on it the way I've been commenting on the U.S 2004’s "Annual Report to Congress on Foreign Economic Collection and Industrial Espionage"
in previous posts. This one is compiled based on the 24, 000
participating organizations from 430 cities within the U.S, so look for
the averages where possible :)
What are the key summary points, and what you should keep in mind?
-
Attacks are on the rise, as always
That's
greatly anticipated given the ever growing Internet penetration and the
number of new users whose bandwidth power is reaching levels of a
middle sized ISP. Taking into consideration the corporate migration
towards IP based business infrastructure, and even the
military's
interest in that, it results in quite a lot of both, visible/invisible
targets. My point is that, to a certain extend a new Internet user is
exposed to a variety of events that are always static in terms of
security breaches, or was it like that several years ago? Less
0day's, lack of client side vulnerabilities(
browsers) the way we are seeing it today, and cookies compared to
spyware
were the "worst" that could happen to you. Things have changed, but
malware is still on the top of every survey/research you would come
across.
-
The threat from within
Insiders
dominate the corporate threatscape as always, and the average financial
losses due to "Laptop/Desktop/PDA Theft", act as an indicator for
intellectual or sensitive property theft that is actively quantified to a
certain extend, though it is still mentioned in a separate section. As
far as insiders and the responses given in here, "
the threat you're currently not aware of, is the threat actually happening" to quote a McAfee's ad I recently came across to. Especially in respect to insiders.
-
To report or not to report?
According to the survey "
Just
9% said they reported incidents to law enforcement, believing the
infractions were not illegal or that there was little law enforcement
could or would do. Of those reporting, however, 91% were satisfied with
law enforcement's response. And 81% said they'd report future incidents
to the FBI or other law enforcement agencies."
The key point
here is the lack of understanding of what a threat is, or perhaps what
exactly should be reported, or why bother at all? And given that out of
the 9% reporting 91% are satisfied I can simply say that, "
If you don't take care of your destiny, someone else will".
Overall,
you should consider that the lack of quality statistics is the result
of both, the "stick to the big picture" research and survey approaches,
or because of companies not interested/understanding what a security
threat worth reporting actually is? I greatly feel the industry and the
Internet as a whole is in need of a commonly accepted approach, and
while such exist,
someone has to
perhaps communicate them in a more effective way. Broad and
unstructured definitions of security, result in a great deal of
insecurities to a certain extend, or have the potential to, doesn't
they?
-
Who's attacking them?
Their homeland's infrastructure and the Chinese one, as the top attacks originally came from "
The U.S. (26.1%) and China (23.9%) were the source of over half of the
intrusion attempts, though masking technologies make it difficult to get
an accurate reading", and yes, Russia "of course".
Though, you
should keep in mind that whenever someone sparkles a debate on certain
country's netblocks attacking another country's one, it's always
questionable.
-
What measures are actually taken?
Besides
actively investing in further solutions, and re-evaluating their
current measures, what made me an impression as worth mentioning is :
-
patching, whether the patch comes from a
third-party
or the vendor itself is something else, yes it's the reactive measure
that could indeed eliminate "known" vulnerabilities, yet it's proactive
approaches companies should aim at achieving
-
keeping it quiet,
as you can see the 3rd measure taken is to actually not report what has
happened, wrong, both in respect to the actual state of security, and
the potential consequences in case a sensitive info breach occurred and
customers did the job of reporting and linking it.
-
tracing back?
I think it's a bit unrealistic in today's botnets dominated Internet,
namely an enterprise might find out that some of its external port scans
are coming from internal infected PCs. When attacked you always want to
know where the hell is it coming from, and who's involved, and while
entirely based on the attackers techniques put in place, I feel that
close cooperation with ISPs in reporting the infected nodes should get
the priority compared to tracing the attacks back. That greatly depends
on the attack, its severity, and traceability of course.
To sum up, the bottom line is that,
antivirus software and
perimeter based defenses
dominate the perception of security as always, companies are actively
investing in security and would continue to do so. It's a very recent
survey for you to use, or brainstorm on!
Technorati tags :
security,
information security,
security statistics,
security trends,
FBI
RSS Feed