June 13th, 2004, 09:57 AM
Computer crimes on the downfall.
are they really going down, or are people just not reporting the intrusions? discuss.
Computer intrusions are on the decline for the third year in a row, at least among respondents to an annual survey conducted by the Computer Security Institute (CSI) and the FBI's computer crime squad
and if you were a big company that got "hacked" would you publicize it and risk losing customer turst?
June 13th, 2004, 12:01 PM
This is probably a load of crap but might it just be something to do with how events are classified.
Several recent worms install a backdoor, but this may well be classed as a malware attack rather than an intrusion attempt?
I think that things have moved on from sub-seven, back orifice and the like?
June 13th, 2004, 12:18 PM
The Sarbanes-Oxley, IIRC, is the one that requires due diligence by CEOs to shareholders. It puts more responsibility on the CEO and Board of Directories to ensure that the company is sound and safe. Looking at the figures of the survey it's interesting. The numbers went down in the number of respondents (485 compared to 525). Based on the survey, all types of attacks were down. Most of the money lost, and it's about half of last year, was due to DoS ($26 million this year compared to about $60 million last year).
KEY FINDINGS Some of the key findings from the participants in this year s survey are summarized here. The findings discussed below emphasize changes taking place in the computer security arena, as well as items not considered in previous CSI/FBI surveys.
- Unauthorized use of computer systems is on the decline, as is the reported dollar amount of annual financial losses resulting from security breaches.
- In a shift from previous years, the most expensive computer crime over the past year was due to denial of service.
- The percentage of organizations reporting computer intrusions to law enforcement over the last year is on the decline. The key reason cited for not reporting intrusions to law enforcement is the concern for negative publicity.
- Most organizations conduct some form of economic evaluation of their security expenditures, with 55 percent using Return on Investment (ROI), 28 percent using Internal Rate of Return (IRR), and 25 percent using Net Present Value (NPV).
- Over 80 percent of the organizations conduct security audits.
- The majority of organizations do not outsource computer security activities. Among those organizations that do outsource some computer security activities, the percentage of security activities outsourced is quite low.
- The Sarbanes-Oxley Act
is beginning to have an impact on information security in some industries
- The vast majority of the organizations view security awareness training as important, although (on average) respondents from all sectors do not believe their organization invests enough in this area.
It's always made me wonder. Our society has become the Microsoft society IMHO. That is, we want everything to work but not necessarily understand the underlying mechanics of how it works. This means that our attackers are losing their finesse. When you think about it, there really hasn't been any major breaches by someone in years (at least not anything that's public).
On the other hand, if companies aren't willing to report it (this figure went down from 30% last year to 20% this year!) because of negative publicity (56% said that's the reason they don't report it) how do we know they're being honest in the survey?
June 13th, 2004, 03:54 PM
I heard that those companies had to give all their logs to the FBI, hence keeping them from lying. That is what it said on the website I orginally read about this... I can't remember where it was though...
The article I read also said you can't really trust those numbers, because they are the companies who have tons and tons of money to spend on IT and work really hard to keep everything secured. It also mentioned that there were tons of smaller companies who had lots of intrusions and DDoS's taking their servers down and such...
<--Best hardware/gaming news out there--|
<--Gamers will love this one
Light a man a fire and you\'ll keep him warm for a day, Light a man ON fire and you\'ll keep him warm the rest of his life.
June 13th, 2004, 04:14 PM
Interesting reading for sure. Figures and Stats can be twisted to indicate whatever end result one may desire. I'm not necessarily implying that particular survey is not accurate, but we can create/control surveys to lessen the impact of the final report. If I had a very large company, I definitely wouldn't want the news telling the whole world about the intrusions. I could very easily loose tons of business because of that fear factor. The closer they can be to having the "Zero Error Factor" in place the better they look. That being said, under-reporting should be considered when reviewing information such as the survey.
Additionally reclassifying the attacks/intrusions etc., could also be misleading. One could say that their actual intrusions were down, but all along their virus/worm attacks were on the rise.
Connection refused, try again later.
June 13th, 2004, 04:34 PM
I think Nihil hit it quite on the head.
May 2004 was one of the most sinister months to date for computer viruses, according to reports from several major anti-virus software vendors.
The total of 959 new viruses released was more than in any month since December 2001, according to a report by Sophos in Oxford, UK.
June 13th, 2004, 05:03 PM
Which will mean the CSI/FBI report for 2005 should reflect that. Keep in mind the survey, while dated for 2004, depends on data from 2003. So it's technically behind. Even still, I wonder where the effects of some of last year's worms are.
June 13th, 2004, 06:18 PM
Well, I think that even if the FBI gets the logs, with old GWB in office they are more likely to downplay these issues in an attempt to make corperations appear secure. Either way I highly doubt that computer crime is on the downfall. It is either in recession, or more likely being perpetrated in ways that the victims don't even realize they are victims.
June 14th, 2004, 04:52 AM
This will not be the first time the Gov. underestimated something.....
Franklin Werren at www.bagpipes.net
Yes I do play the Bagpipes!
And learning to Play the Bugle
June 14th, 2004, 04:29 PM
Makes sense to me, every network I have touched over that last year had made decent strides at security. It's the current buzzword in the biz. Security sites are popular, more people use antivirus, entry level routers are shipped with firewalls enabled and even the bad boys at MS have made some progress by making lockdown tools and patch scanners available along with a host of command line tools like netsh and many more that allot of people don't have a clue about. Heck I could compare random net scans of the local ISPs with last year and see less "in your face" issues. Still a bunch but I would definitely place a decline on the numbers based on my own amateur analysis.
Sure viruses hit all time records but in reality how many of us here were really effected? Compare this with a year ago or two years. I know for me, it's been a breath of fresh air. Even trends in the hacking are going from traditional technology based attacks to wireless or human engineering because those are where the potential for easier vulnerabilities are in business. For instance there have been large (talking huge) purchases of UPS uniforms recently on ebay to private individuals. Makes me go - hmmmm. I am talking the real attacks outside of scripties. We all see these trends and talk about them. So in general I would tend to believe intrusions for business entities are on a decline. There is government and social pressure among their customers to do so.
These customers actually do want to set down at a computer and make it work for them. Just like we want to press the gas pedal on a car to get us from home to work, in most cases not even a remote clue what is going on under the hood. Like the mechanic, itís our job to protect them. Some wonít do as asked, they end up in trouble - perhaps wrapped around a big oak tree?
As for home users, thatís a different animal.
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.