http://www.globetechnology.com/servlet/story/RTGAM.20030605.gtwkapi/BNStory/Front/ By JACK KAPICA jkapicaat_private Globe and Mail Update Jun. 5, 2003 It was bad enough that, before 2001, security companies that had products and services to sell generated most of the fear of being hacked on the Internet. But after the 9/11 terrorist attacks, things got wonky. Prophets of doom appeared at every corner, issuing dire warnings of enormous financial losses. And the U.S. government, dipping its pen into propaganda, raised the fear factor by creating the National Strategy to Secure Cyberspace, a list of ''policy initiatives'' issued by the Bush Administration's Department of Homeland Security to combat ill-defined threats. This is not to diminish the damage hackers have done, which is very real, and the necessity for tighter security as corporations move more of their valuable business on-line. But with fear running high, it's tough to make clear-headed decisions about securing systems to minimize damage. Delegates flocking to Toronto for the 2003 Infosecurity Conference this week should be asking themselves about this, especially in light of the eighth annual Computer Crime and Security Survey, released last week by the Computer Security Institute and the San Francisco Federal Bureau of Investigation's Computer Intrusion Squad. The CSI/FBI survey did more to muddy the waters than to clear them. While overall financial losses, as reported by corporate respondents, had dropped by more than half from the previous year, from $455-million to $202-million (U.S.), the number of attacks remained about the same. Not surprisingly, the results were called "disturbing" by CSI director Chris Keating, who added that "more must be done" to improve security. It's worth examining the results of the CSI/FBI survey because it is one of the most respected in its field; yet its primary purpose is not accuracy. Mr. Keating himself said that through the eight years of conducting the survey, CSI has "delivered on its promise to raise the level of security awareness" -- in other words, the survey's job is to promote (or sell) security. To get a better fix on accuracy, I put the question to Mary Kirwan, senior director of Mississauga-based Kasten Chase Applied Research, which specializes in on-line security. Ms. Kirwan, a lawyer by profession and trained in statistics, expressed misgivings. She said she had problems with two main areas: the response rate to the survey, and the kind of people who answered. The CSI/FBI survey has a historical response rate of between 9 and 15 per cent, too low for accurate analysis. And of that small number -- 530 respondents -- only half admitted to cyberattacks, and only 30 per cent told law enforcement officials about them. Moreover, statistics for the survey were collected mainly from corporate security specialists, and they are "usually too far down the totem pole to report an accurate figure" of their losses, Ms. Kirwan said; even if qualified, they are hesitant to admit to losses for fear of damaging their image. While three-quarters of the respondents reported some financial loss, only 45 per cent would tell the survey how much. Also significant, Ms. Kirwan said, was the fact that 22 per cent of the respondents confessed they didn't even know whether their security had been breached. With numbers like these, the results of the survey become questionable -- but it must be added that they are not entirely inaccurate. The survey confirmed some broad trends that most specialists in computer security have been seeing. Among them is the growing dominance of two kinds of attack: theft of proprietary information, including identity theft (which caused the greatest losses, the survey said, at $70-million), and denial-of-service attacks (the second most expensive computer crime, amounting to losses of $65-million, up 250 per cent from last year's losses). The rankings reflect Kasten Chase's own findings. Ms. Kirwan's experience is that most cases of theft of proprietary information and identity theft are inside jobs done by disgruntled employees, and denial-of-service attacks are usually the work of "script kiddies," young amateur attackers who download a malicious program from the Internet and launch non-profit attacks purely for bragging rights to their friends, a form of vandalism. Corporate interests would therefore be well advised to protect themselves against random vandalism, using any number of available measures to ward off denial-of-service attacks. And it's not enough to install antivirus programs, firewalls and access-control technologies when the enemy is already behind the firewall, on the payroll and armed with a legal password; aside from more reliable in-house systems policies, more effort should be put into a review of corporate attitudes to their own work forces, into whose hands they have placed tools of incredible power. Ms. Kirwan wisely advised that we should not rely on surveys such as the one put out by CSI/FBI until insurance companies weigh in; insurers require hard figures before their underwriters can assess the risks accurately enough to set premiums. The reason they haven't done so is because they don't trust the figures. In the meantime, the steady drumbeat of bad news from security professionals is adding to a climate of fear. And fear makes for irrational security decisions. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Jun 09 2003 - 02:38:15 PDT