September 12th, 2003, 09:32 PM
Facts On Computer Sec Released by FBI
I just found this and found it quite interesting so i thought i would post it.
Here's a few of the staggering facts on computer security released by the FBI:
90% of companies had security breaches in the past 12 months
80% acknowledged financial losses as a result
70% of attacks start from the inside
40% detected denial of service attacks
40% detected system penetration from outside
33% detected internal attack sources
5% this is the number of companies the report computer crimes
September 12th, 2003, 11:00 PM
Umm... this may be old info. The 2003 FBI/CSI info has 30% of companies reporting computer crimes to law enforcement. http://www.gocsi.com
September 12th, 2003, 11:08 PM
wasnt this posted like a few posts ago, I swear I just read it
September 12th, 2003, 11:20 PM
These may be later statistics, but don't they all tell us the same sorry story?
Corporate management do not want to pay for security?
Many private Users do not understand the need for security?
If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?
September 12th, 2003, 11:48 PM
i have to agree with nihil. the average computer user just wants a computer that can access the internet, burns CDs and watch DVDs. and as for bussiness and corporations as long that they can share info and pinters access their data bases thats it. they don't want to spend money on anti-virus software and firewalls and security.
here were i live 95% of computer technitians don't know sh*t about security, i not an espert i just know the basics and a bitmore that i pick up here and there.
i been to places(produce companies, brokerages, insurance places) that there computers have their default passwords and their shares are with out passwords, and if you ask them why is that. they answer "we don't whant to get loocked out of our system" and also "there is no one that might be intrested in or data"
corporations should be aware of the dangers of not securing their networks(lost data, fraud, misuse of data, sensible info in the wrong hands, etc)
i better stop before i get paranoic
September 13th, 2003, 12:41 AM
I don't think that's what it's saying. If the FBI/CSI survey is accurate, 99% of companies that responding have firewalls while 98% have Anti-Virus software (whether it's running and updated is another issue since the #1 attack was virus at 82%).
I think there are two main issues however that are being repeated over and over again:
1) Companies and individuals still have the "it won't happen to me/I have nothing worth stealing" mentality. It has been suggested in the Computer Security Journal that companies won't take any action until it does happen to them (reactive policy/view rather than proactive). Society in general is like that. We don't deal with situations in advance; we wait until things are epidemic or disastorus before we deal with them.
And these days it's the overworked admin who can barely keep up with the day-to-day activities -- nevermind adding security to his/her list of things to do -- that has to deal with it all.
2) Companies in particular (and some individuals) don't want publicity from being the victim of an attack, regardless of the kind of attack, and hence, won't report attacks. Individuals are more likely to not to report attacks because police often cannot do anything (case in point: http://www.theregister.co.uk/content/55/32796.html ; this was reported on Canadian news tonight and the Canadian who received this email was told by Edmonton Police that it was beyond their juristiction and beyond their budget, so the individual is SOL at pressing charges).
I suppose like the changes that 9/11 brought to airport and other areas in regards to security, we won't see changes on Network/Computer Security until there is a massive meltdown of the Internet to near Biblical proportions.
September 13th, 2003, 12:46 AM
As much as corporations might like to bring the perpetrators of any computer security breaches to justice, its not always the best choice for the bottom line.
First of all, many incidents get covered by the techs and admins themselves because they are the ones who didn't secure the environment properly in the first place and want to keep their jobs.
The ones that make it past them to the executives and the board room are sometimes silenced there because the negative PR of admitting you were hacked costs more than the damages from the hack.
Its scares away customers and shareholders. Depending on the industry you're in, admitting a security breach of your network or customer database can be Wall Street suicide.
There are bills proposed to allow companies to report incidents anonymously. The Internet at large would benefit from such full disclosure so that everyone could know about and learn from the attacks. But, as long as the Freedom of Information Act is in force and these incidents can be made public if they're reported companies will shy away from sharing information.
September 13th, 2003, 12:50 AM
I thought (IIRC) that the FBI/US Gov were proposing (had proposed?) a bill that would allow for anonymous filing of charges and closed courtroom trials for this (or something to this effect). Did that ever go through or not? (I'd assume Individual Rights/Liberties issues would hold it up).
September 13th, 2003, 12:56 AM
To my knowledge nothing has been passed yet- just proposed.
Senator Feinstein proposed a bill directly countering that proposal. Her bill would not only NOT let companies report anonymously, but would legally compel them to report incidents and fine them for failing to do so.
I wrote an article on it a while back: To Disclose or Not To Disclose?