Computer crimes on the downfall.

Printable View

June 13th, 2004, 08:57 AM
XTC46

Computer crimes on the downfall.

http://www.securityfocus.com/news/8883

Quote:

Computer intrusions are on the decline for the third year in a row, at least among respondents to an annual survey conducted by the Computer Security Institute (CSI) and the FBI's computer crime squad

are they really going down, or are people just not reporting the intrusions? discuss.

and if you were a big company that got "hacked" would you publicize it and risk losing customer turst?
June 13th, 2004, 11:01 AM
nihil

This is probably a load of crap :) but might it just be something to do with how events are classified.

Several recent worms install a backdoor, but this may well be classed as a malware attack rather than an intrusion attempt?

I think that things have moved on from sub-seven, back orifice and the like?

:D
June 13th, 2004, 11:18 AM
MrLinus

Quote:

KEY FINDINGS Some of the key findings from the participants in this year s survey are summarized here. The findings discussed below emphasize changes taking place in the computer security arena, as well as items not considered in previous CSI/FBI surveys.

- Unauthorized use of computer systems is on the decline, as is the reported dollar amount of annual financial losses resulting from security breaches.

- In a shift from previous years, the most expensive computer crime over the past year was due to denial of service.

- The percentage of organizations reporting computer intrusions to law enforcement over the last year is on the decline. The key reason cited for not reporting intrusions to law enforcement is the concern for negative publicity.

- Most organizations conduct some form of economic evaluation of their security expenditures, with 55 percent using Return on Investment (ROI), 28 percent using Internal Rate of Return (IRR), and 25 percent using Net Present Value (NPV).

- Over 80 percent of the organizations conduct security audits.

- The majority of organizations do not outsource computer security activities. Among those organizations that do outsource some computer security activities, the percentage of security activities outsourced is quite low.

- The Sarbanes-Oxley Act is beginning to have an impact on information security in some industries

- The vast majority of the organizations view security awareness training as important, although (on average) respondents from all sectors do not believe their organization invests enough in this area.

The Sarbanes-Oxley, IIRC, is the one that requires due diligence by CEOs to shareholders. It puts more responsibility on the CEO and Board of Directories to ensure that the company is sound and safe. Looking at the figures of the survey it's interesting. The numbers went down in the number of respondents (485 compared to 525). Based on the survey, all types of attacks were down. Most of the money lost, and it's about half of last year, was due to DoS ($26 million this year compared to about $60 million last year).

It's always made me wonder. Our society has become the Microsoft society IMHO. That is, we want everything to work but not necessarily understand the underlying mechanics of how it works. This means that our attackers are losing their finesse. When you think about it, there really hasn't been any major breaches by someone in years (at least not anything that's public).

On the other hand, if companies aren't willing to report it (this figure went down from 30% last year to 20% this year!) because of negative publicity (56% said that's the reason they don't report it) how do we know they're being honest in the survey?
June 13th, 2004, 02:54 PM
The Grunt

I heard that those companies had to give all their logs to the FBI, hence keeping them from lying. That is what it said on the website I orginally read about this... I can't remember where it was though...

The article I read also said you can't really trust those numbers, because they are the companies who have tons and tons of money to spend on IT and work really hard to keep everything secured. It also mentioned that there were tons of smaller companies who had lots of intrusions and DDoS's taking their servers down and such...
June 13th, 2004, 03:14 PM
Relyt

Interesting reading for sure. Figures and Stats can be twisted to indicate whatever end result one may desire. I'm not necessarily implying that particular survey is not accurate, but we can create/control surveys to lessen the impact of the final report. If I had a very large company, I definitely wouldn't want the news telling the whole world about the intrusions. I could very easily loose tons of business because of that fear factor. The closer they can be to having the "Zero Error Factor" in place the better they look. That being said, under-reporting should be considered when reviewing information such as the survey.

Additionally reclassifying the attacks/intrusions etc., could also be misleading. One could say that their actual intrusions were down, but all along their virus/worm attacks were on the rise. :eek:

cheers
June 13th, 2004, 03:34 PM
groovicus

I think Nihil hit it quite on the head.

Quote:

May 2004 was one of the most sinister months to date for computer viruses, according to reports from several major anti-virus software vendors.

The total of 959 new viruses released was more than in any month since December 2001, according to a report by Sophos in Oxford, UK.

Full Article
June 13th, 2004, 04:03 PM
MrLinus

Which will mean the CSI/FBI report for 2005 should reflect that. Keep in mind the survey, while dated for 2004, depends on data from 2003. So it's technically behind. Even still, I wonder where the effects of some of last year's worms are.
June 13th, 2004, 05:18 PM
PM8228

Well, I think that even if the FBI gets the logs, with old GWB in office they are more likely to downplay these issues in an attempt to make corperations appear secure. Either way I highly doubt that computer crime is on the downfall. It is either in recession, or more likely being perpetrated in ways that the victims don't even realize they are victims.

-Cheers-
June 14th, 2004, 03:52 AM
Highlander

This will not be the first time the Gov. underestimated something.....
June 14th, 2004, 03:29 PM
RoadClosed

Makes sense to me, every network I have touched over that last year had made decent strides at security. It's the current buzzword in the biz. Security sites are popular, more people use antivirus, entry level routers are shipped with firewalls enabled and even the bad boys at MS have made some progress by making lockdown tools and patch scanners available along with a host of command line tools like netsh and many more that allot of people don't have a clue about. ;) Heck I could compare random net scans of the local ISPs with last year and see less "in your face" issues. Still a bunch but I would definitely place a decline on the numbers based on my own amateur analysis.

Sure viruses hit all time records but in reality how many of us here were really effected? Compare this with a year ago or two years. I know for me, it's been a breath of fresh air. :D Even trends in the hacking are going from traditional technology based attacks to wireless or human engineering because those are where the potential for easier vulnerabilities are in business. For instance there have been large (talking huge) purchases of UPS uniforms recently on ebay to private individuals. Makes me go - hmmmm. I am talking the real attacks outside of scripties. We all see these trends and talk about them. So in general I would tend to believe intrusions for business entities are on a decline. There is government and social pressure among their customers to do so.

These customers actually do want to set down at a computer and make it work for them. Just like we want to press the gas pedal on a car to get us from home to work, in most cases not even a remote clue what is going on under the hood. Like the mechanic, it’s our job to protect them. Some won’t do as asked, they end up in trouble - perhaps wrapped around a big oak tree?

As for home users, that’s a different animal.
June 18th, 2004, 05:16 AM
iankestor

Judging by personal experience at my office, attacks are on the rise. Every time I run something like Ad-Aware I end up removing dozens or hundreds of undesirable bits. I don't care if they want to call the problem overly-bleached paper towel waste disposal... I know that the volume of spam and attempted worm/virus distribution only gets worse. How can they say intrusions are down when there is ever more spam? Yes you can filter, but the stuff has to get into the system before a filter can examine it. Connection? How much mal-ware is carried by spam?
Then there are pop-ups. I have actually had two users and several friends click on the "Click here to stop pop-ups!" windows!
Oi, my head!
Besides, sufficiently large corporations have the money to buy quality power-supply systems, analysts, programmers and over-priced software.
Hooray, the Fortune 500 are doing better (like we didn't know that). What about the rest of the country that actually seems to be a bulky part of the economy, work-force, families of Fortune 500 employees, etc.?
Now I'm just babbling.