Computer Crime Research Center


Security means not so perfect

Date: January 12, 2006
By: Bill Brenner

Despite investing in a variety of security technologies, enterprises continue to suffer network attacks at the hands of malware writers and inside operatives, according to an annual FBI report released today. Many security incidents continue to go unreported.

The 2005 FBI Computer Crime Survey was taken by 2,066 organizations in Iowa, Nebraska, New York, and Texas late last spring, which survey organizers deemed a good sample of enterprises nationwide. The report is designed to "gain an accurate understanding" of computer security incidents experienced "by the full spectrum of sizes and types of organizations within the United States," the FBI said. The 23-question survey addressed such issues as the computer security technologies enterprises use, what kinds of security incidents they've suffered and what actions they've taken.

The survey is not the same as the CSI/FBI Computer Crime and Security Survey, which has been conducted for several years and has a somewhat different focus, method and restricted number of respondents, the FBI said.

Among the findings:

* Security software and hardware failed to prevent more than 5,000 incidents among those surveyed. Eighty-seven percent of respondents said they experienced some type of incident.
* A common point of frustration among respondents came from the nonstop barrage of viruses, Trojans, worms and spyware.
* Use of antivirus, antispyware, firewalls and antispam software is almost universal among those who responded. But the software apparently did little to stop malicious insiders.
* Of the intrusion attempts coming from outside the organizations, the most common countries of origin included the United States, China, Nigeria, Germany, Russia and Romania.
* New York had the lowest percentage of organizations experiencing unauthorized access, but it had the highest percentage of those experiencing insider abuse, laptop theft, telecom fraud, viruses and Web site defacement. Austin was home to the organizations most likely (more than 91%) to have at least one type of computer security incident.
* Of those admitting they didn't alert the authorities after a security breach, about 700 respondents said there was no criminal activity, almost an identical number indicated the incident was too small to report and 329 (23%) thought law enforcement wouldn't be interested.

The report quotes a number of high-profile security experts, including Eugene Spafford, a computer science professor at Purdue University, advisor to presidents Bill Clinton and George W. Bush and director of the Center for Education and Research in Information Assurance and Security (CERIAS) and Frank Abagnale, a former conman whose crimes inspired the memoir and movie "Catch Me If You Can."

"I continue to be surprised, not at the variety of incidents, but at the magnitude of flaws in deployed systems and the subsequent attacks and losses, all of which are accepted as business as usual," Spafford said. "So long as we continue to apply patches and spot defenses to existing problems, the overall situation will continue to deteriorate. Without a significant increase in focus and funding for both long-term cybersecurity research and more effective law enforcement, we can only expect more incidents and greater losses year after year."
Original article

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo