[ISN] Data on Internet threats still out cold

From: InfoSec News (isnat_private)
Date: Tue Jan 22 2002 - 11:18:40 PST

  • Next message: InfoSec News: "Re: [ISN] Exploding chips could foil laptop thieves."

    By Robert Lemos 
    Staff Writer, CNET News.com
    January 21, 2002, 4:00 AM PT
    Are we winning the battle against computer viruses and security
    threats, or getting swamped by an epidemic?
    Although corporations and individuals are taking more measures to
    inoculate against computer viruses and online vandals, security
    experts disagree over whether they're stemming the tide or simply
    keeping heads above water in the face of a growing number of hackers
    and ever more virulent code.
    Assessing the situation is tough, say experts, because of the lack of
    conclusive data about viruses and their effects.
    "We need more data, better data and different kinds of data," said
    Richard Power, editorial director for the Computer Security Institute,
    which produces a yearly survey that contains some of the most often
    cited--and occasionally maligned--data on security incidents.
    "Having the right data would help debunk a lot of the crap out there:  
    predictions of an electronic Pearl Harbor and the waves of hype that
    follow virus attacks like I Love You," Power said, adding that CSI's
    poll can't be considered scientifically accurate.
    Everyone agrees more needs to be done. Microsoft Chairman Bill Gates
    told his employees on Tuesday that security, not product features,
    will be the company's primary concern.
    To some degree, the question of whether Internet security is improving
    is a matter of perspective.
    Market researcher Computer Economics estimated that the impact from
    such digital threats as viruses, worms and Trojan horses dropped to
    $13.2 billion in 2001 from $17.1 billion the previous year. The I Love
    You virus caused the largest amount of pain--an estimated $8.75
    billion--according to the company's 2000 estimates.
    Such numbers support some virus researchers' conclusion that a
    combination of security measures--the digital equivalent of a drug
    cocktail--has helped make the Net more secure.
    "Corporations have gotten better at handling viruses," said Vincent
    Gullotto, director of computer software maker Network Associates'
    antivirus emergency response team. "They have an infection here and
    there, but (the viruses) are not penetrating." Gullotto also said
    security has been helped by a faster response to crisis situations on
    the part of antivirus-software makers.
    Yet, a second opinion--and data to support it--is only a click away.
    E-mail service provider MessageLabs saw the occurrence of hostile
    e-mail attachments, such as worms and viruses, triple during the last
    year. The U.K.-based company analyzes e-mail in real time on behalf of
    its customers, filtering out potential viruses, junk mail and
    inappropriate content.
    In the early months of 2001, only one out of every 1,053 e-mails
    traveling through the company's gateways had a malicious attachment. A
    year later, the frequency had jumped to one out of every 325 e-mails.
    "Our data is telling us that this problem is worse, not better," said
    John Harrington, director of marketing for the company's U.S.  
    A third set of data lends support to that position. The Computer
    Emergency Response Team (CERT) Coordination Center at Carnegie Mellon
    University--a clearinghouse for information on Internet threats--saw
    reports of security incidents climb to more than 56,000 in 2001, a
    jump of 160 percent from the previous year.
    Yet the group doesn't explicitly track viruses and doesn't categorize
    the number of threats.
    Who's right?
    Who knows, answered Roger Thompson, technical director of
    malicious-code research for security-services company TruSecure.  
    Thompson bemoans the lack of good scientific data.
    While Thompson has a hunch things are getting better, he said the need
    for data "is great. I just don't know if we are going to get much more
    than we've got."
    Even Michael Erbschloe, vice president at Computer Economics and the
    author of the company's estimates of the amount of damage done by
    viruses, admits the numbers are, scientifically, just a few steps up
    the evolutionary ladder from a guess.
    "We benchmark cleanup cost repeatedly and constantly, and we do as
    well as we can to calculate the number of hits," Erbschloe said. "It's
    less than perfect, but (it's) the best we can do with the resources we
    These types of studies and estimates don't seem to take into account
    such basic factors as, for example, the increase in PCs connected to
    the Internet. Almost 377 million computers worldwide were connected to
    the Net, and thus susceptible to attack, by the end of 2001, according
    to market researcher IDC. That's up from 241 million in 1999 and is
    expected to reach 704 million in 2005. By those numbers, reported
    attacks could proportionally stay constant but double in actual volume
    by 2005.
    Another problem, said Power, is that many companies never mention
    attacks they've suffered. And that leaves decision makers--ranging
    from corporate execs to senators--listening instead to the hype in the
    The conflicting data and lack of guidelines leave security
    professionals with only their own anecdotes to convince executives to
    boost security, said Greg Shipley, chief technology officer with
    network protection firm Neohapsis,
    For example, Shipley voiced incredulity at Computer Economics
    estimates that pegged the I Love You virus at 14 times more damaging
    than the September attack of the Nimda worm. "Nimda scared us the
    most," he said, adding that the company spent days cleaning up
    clients' computers after Nimda. I Love You, on the other hand, was far
    easier to mop up after.
    "When you have to sell management on why they should be shelling out
    serious bucks for security, you need hard numbers--or at least harder
    numbers than we have now," Shipley said.
    Rob Rosenberger, a hoax debunker and virus historian for the Virus
    Myths Web site, went a step further, calling the science behind the
    scarce data currently available "napkin math."
    In the end, he added, while companies need more information to track
    the threats and help them make budgeting decisions, security companies
    might not need--or want--better data.
    "It's an interesting philosophical question," he said. "It would be
    like tobacco companies saying we don't even want to do tests to see if
    smoking is bad."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Jan 22 2002 - 15:17:45 PST