[ISN] RSA Unveils 'Internet Insecurity Index'

From: InfoSec News (isnat_private)
Date: Wed Apr 16 2003 - 00:59:36 PDT

  • Next message: InfoSec News: "[ISN] Expert at 17, will lecture IT big wigs on Net security"

    http://siliconvalley.internet.com/news/article.php/2191131
    
    By Michael Singer 
    April 15, 2003
    
    SAN FRANCISCO -- You are not as safe surfing the Web this year as you
    were last year, according to a recent consensus of online security
    experts.
    
    To help keep track of problem, online encryption firm RSA Monday
    launched its "Internet Insecurity Index" -- a simple one-to-ten scale
    that measures how secure electronic data is each year. Given the
    amount of attacks, Jim Bidzos Chairman of Conferences currently ranks
    2003 at about a 6 and a half.
    
    "We have gone from a 5 to 6-plus in the last 12 months," Bidzos said
    to attendees at the RSA Security conference here Monday. The four-day
    forum is designed as a clearinghouse of information about making the
    Internet more secure. "Basically, nothing is safe," he said.
    
    Analysts with IDC have already predicted that some major cyber
    terrorism event will disrupt economy this year. Bidzos pointed to more
    than 62,000 hacking incidents last year as a rally cry for better
    safeguards. In addition to commonplace server strikes, Bidzos said ATM
    and wireless networks are the new target of hackers. The increasing
    amount of incidents recently prompted the CERT Coordination Center to
    call 2002 the "golden age of hacking."
    
    "Part of the price is not having security designed in the first
    place," Bidzos said. "We found 30 percent of ISPs have no info
    security plans in place with 33 percent deciding that online security
    is not a priority."
    
    The threat index also identifies last year's $59 billion in data theft
    as a major impact on how safe the Internet is. Experts say identity
    theft is fastest growing area with Australia citing ID theft as a $4
    billion problem. Recently, a New York ring netted that netted $7
    million was exposed. Nineteen people were charged.
    
    "It's getting so that Internet fraud growth is exceeding Internet
    growth," Bidzos said. "The interesting possibility is that people may
    stop doing things online that have to do with e-commerce because of
    it."
    
    The one bright area, according to RSA's index report was the U.S.  
    government.
    
    Bidzos said the creation of Homeland Security and a national strategy
    to secure cyberspace marked a turning point in how the government is
    dealing with online threats. California's move to require companies to
    publicly disclose security breaches may also have a major impact on
    how well companies secure their networks and data.
    
    "If they know that they have to make that security disclosure putting
    people on notice that there is a problem, they can't sweep this under
    the rug," Bidzos said.
    
    Former Clinton National Security Advisor Samuel "Sandy" Berger said
    overall, government supports strong encryption but the government
    needs to put its money where its mouth is.
    
    "We have the money to do that (protect cyberspace) because it's
    national security," he said.
    
    In related news, the Electronic Privacy Information Center (EPIC) set
    up a new Privacy Threat Index to track the growing threat to privacy
    resulting from the expansion of government surveillance. The alert
    system is similarly structured to the five-color alerts used by the
    Department of Homeland Security. Based on developments during the past
    year, EPIC assessed the current level as Yellow.
    
    "It will be interesting to see how the two progress," Bidzos said.
    
    In addition to tracking the Internet's insecurity, the conference is
    also focused on new Web services security specifications.
    
    The Liberty Alliance Tuesday unveiled drafts of its Phase 2
    specifications of its Identity Federation Framework (ID-FF). On Friday
    the group submitted its first phase specification to the Organization
    for the Advancement of Structured Information Standards (OASIS) for
    use in future version of the SAML (define) authentication language.
    
    OASIS said it will define its Application Vulnerability Description
    Language (AVDL) as soon as next month. The XML-based technology would
    allow communication between products that find, block, fix, and report
    application security holes.
    
    The Information Security Systems Association (ISSA) Tuesday also said
    it will take over the Generally Accepted Information Security
    Principles (GAISP) specification. The former Generally Accepted System
    Security Principles (GASSP) standard was authored in response to a
    1990 U.S. National Research Council report, "Computers at Risk."
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Apr 16 2003 - 04:35:24 PDT