Recent media coverage of hacker incidents against well-known Internet companies has started to promote a better understanding of the growing threat hackers pose to computer security. Despite this new publicity, many users and senior managers still do not fully understand the magnitude of the threat. Without the support of the end users, system administrators constantly have to defend against security holes inadvertently opened by the users. Additionally, without the support of management, security and system administrators cannot obtain the resources they need to protect the company. This puts the technical staff in a difficult position when trying to obtain the full support of the organization to defend against the threat. Sometimes numbers speak louder than words to show an organization's exposure to risk and to gain the support of management.
Frequently we have to convince clients that information systems security is necessary and that the threat from hackers is substantial enough to invest in proactive security measures. Since there is no quantifiable measurement of successful security tactics (other than not being hacked), it is difficult to gain support for a security project. Also, unrealistic expectations of the cost of effective security or overreliance on one or two security systems can be a fatal flaw in the network.
There are two large problems security and system administrators need to overcome. First, management often believes that the computer security threat is not a great enough risk to justify funds for protective measures. Second, there is a general misunderstanding of how complex the problem of computer security really is and how many resources are required to adequately defend against attacks. For example, firewalls are necessary components of a security architecture, but firewalls alone do not protect networks. An improperly configured firewall or a firewall without other security measures in place can be worse than an open system if it provides the company with a false sense of security.
For the last six years the Computer Security Institute (CSI) has performed a survey in cooperation with the Federal Bureau of Investigation's (FBI) Computer Intrusion Squad to help determine the extent of computer crime in the United States. In March 2001, CSI published its “2001 Computer Crime and Security Survey,” which is based on responses from 538 computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions, and universities. Of those organizations surveyed, 91 percent reported detecting computer security breaches in the last 12 months[1] and 97 percent of those polled had Web sites. Of those with Web sites, 23 percent reported suffering an attack within the last 12 months and 27 percent did not know if they had experienced an attack. Of those reporting attacks, 21 percent reported two to five incidents and 58 percent reported ten or more.
These statistics may be alarming, but the actual state of computer security may be worse than the statistics suggest. Many organizations are still not equipped to detect security breaches. Only 61 percent (up from 50 percent in 2000) of those polled in the CSI survey reported using intrusion detection. Thus, it is likely the actual number of attacks and losses are greater than those reported. While it appears that organizations are starting to implement more security controls, security incidents and losses continue to grow. This could be due to the fact that the security products are not implemented correctly or that the proper policies and procedures are not built around them. In the 2001 CSI survey Patrice Rapalus, CSI director, provided this insight on why incidents and loss continue to grow:
The survey results over the years offer compelling evidence that neither technology nor policies alone really offer an effective defense for your organization… . Organizations that want to survive need to develop a comprehensive approach to information security embracing both the human and technical dimensions.[2]
Organizations were also asked to estimate the financial damages they suffered as a result of the security breaches. Although 64 percent reported financial damages, only 35 percent were able to quantify the losses. Table 1-1 shows the results. Although the $377,828,700 in reported damages seems an enormous number, it is important to note that this reflects the damages suffered by a mere 186 organizations (35 percent of those surveyed). Considering the number of computer-using organizations in the country, the overall cost of computer security breaches must be vastly greater.
Not only is the problem bad, it appears that it is getting worse. In the years 1997–1999, the average damage due to break-ins was $120,240,180. The year 2000 losses were more than double that average. The losses continued to increase in the year 2001, with a more than 42 percent increase over the year 2000 losses despite 87 fewer organizations reporting losses.[3] Table 1-2 shows the results of the CSI survey over the last five years. Although some of the increased reported damages in the 2001 survey come from improved detection and reporting, a large portion of the increase is due to increased hacker activity.
The reported sources of the attacks were also interesting. External attacks continue to be more common, but the threat from internal sources is still there—49 percent of the respondents reported attacks from internal sources. Internet connections were frequent targets, as stated by 70 percent of the respondents, while 31 percent reported their internal systems were a common point of attack. Keep in mind that many companies more closely monitor Internet-connected systems for abuse and unauthorized activity than internal systems. Even considering this fact, the results support the reality that the threat from both internal and external sources is great. While the reported frequency of internal attacks is lower than that for external ones, internal attackers can often cause more damage due to their proximity to and knowledge of the systems.
Table 1-1. Losses Reported in Dollars by Type (for 2001)
| Type | Loss |
|---|---|
| Source: Power, Richard. 2001. 2001 CSI/FBI Computer Crime and Security Survey. San Francisco: Computer Security Institute. | |
| Unauthorized insider access | $6,064,000 |
| Theft of proprietary information | $151,230,100 |
| Telecom fraud | $9,041,000 |
| Financial fraud | $92,935,500 |
| Viruses | $45,288,150 |
| Laptop theft | $8,849,000 |
| Insider abuse of Internet access | $35,001,650 |
| Denial of service | $4,283,600 |
| Sabotage | $5,183,100 |
| System penetration | $19,066,600 |
| Telecom eavesdropping | $886,000 |
| Active wiretapping | $0 |
| Other | $0 |
| Total | $377,828,700 |
The CSI survey provides a wealth of information and statistics concerning computer crime and security. We have touched on just a small portion of the results that help illustrate the risks. You can obtain a free copy of the complete CSI survey by visiting www.gocsi.com.
Table 1-2. Total Reported Financial Losses by Year
| Year | Respondents (Number Reporting Losses/% of Total Respondents) | Reported Losses |
|---|---|---|
| Source: Power, Richard. 2001. 2001 CSI/FBI Computer Crime and Security Survey. San Francisco: Computer Security Institute. | ||
| 2001 | 186 respondents/35% | $377,828,700 |
| 2000 | 273 respondents/42% | $265,586,240 |
| 1999 | 161 respondents/31% | $123,779,000 |
| 1998 | 216 respondents/42% | $136,822,000 |
| 1997 | 331 respondents/59% | $100,119,555 |
| Total | $1,004,135,495 | |
CSI is not the only organization whose surveys indicate a growing computer security threat. A global survey released in July 2000 of 4,900 information technology (IT) professionals across 30 nations, conducted by InformationWeek Research and fielded by PricewaterhouseCoopers LLP, predicts U.S. firms will suffer losses of over $266 billion this year from viruses and computer hacking.[4] The prediction for worldwide losses climbs to $1.6 trillion. The CERT Coordination Center maintains statistics for the number of incidents reported each year (www.cert.org/stats/cert_stats.html). In 2000 there were 21,756 incidents, which is more than double the number of incidents reported in 1999 (9,859 incidents). All these statistics indicate the threat appears to be growing, which calls for a renewed sense of urgency to address the security issues facing every company.
The statistics are persuasive, but they are sometimes not enough to make the case for increased computer security. However, the statistics are not the only indication of increased computer crimes. Media outlets have started to take notice of computer crimes and have increased the reporting of system compromises, particularly attacks that involve well-known companies. Some of the attacks involve denial of service, stolen information, or other forms of loss.
In February 2000, many large Internet companies suffered major disruptions in service from distributed denial-of-service (DDoS) attacks. Denial-of-service (DoS) attacks generally involve trying to overwhelm or bring down a target system to make it unavailable for use. (DoS attacks are covered in greater detail in Chapter 21.) Yahoo.com, Amazon.com, ETRADE.com, Buy.com, CNN.com, eBay.com, and others were offline for hours combating the problem. These incidents brought great visibility to cyber crime.
Other well-known attacks also help illustrate the increase in computer crime. In October 2000, news sources reported an attack against Microsoft's internal systems, targeting its source code. In May 1999, the FBI investigated several hacking groups based in the United States. After the FBI seized a suspected teenage hacker's computer, several hacker groups retaliated by defacing government Web sites. At one point, a DoS attack caused the FBI Web site to be taken offline for seven days.[5] In January 2000, an Internet hacker threatened CD Universe, stating that if the company did not pay a ransom of $100,000 he would publish 300,000 credit card numbers he stole from its Web site. The company refused to pay the ransom and the hacker published over 25,000 credit card numbers. This attack destroyed consumer confidence in CD Universe and added to the mistrust consumers already have in online buying. Between the middle of 1999 and the beginning of 2000, computer viruses such as Melissa, I LOVE YOU, and Explorer.zip devastated corporate networks, forcing companies to shut down for days to combat the viruses. These viruses demonstrated the frailty of present-day virus scanners and how easy it is to get users to execute malicious code. The incidents also illustrated the problems and losses a company can suffer from an attack.
Web-site defacements are one of the most prevalent security incidents. Hundreds of defaced Web sites are posted on hacker sites each month. Attrition.org (www.attrition.org) and 2600 (www.2600.org) are two of many sites that contain defaced Web-site archives. The archives contain a listing of sites that have been defaced and in some instances display a copy of the defaced site. Figure 1-1 shows an example of the listings of defaced Web sites from Attrition.org. Defacements may consist of impolite messages, a hacker's claim to fame, pornographic material, or other embarrassing information. Even in cases where an attack is not destructive, the loss of confidence in the organization's ability to protect sensitive data will drive customers away.
Attrition.org maintains a breakdown of all the sites listed in its archive. There are thousands of sites across all domains: .com, .net, .org, .gov, and .mil. Some of the defaced sites are popular, well-known sites, while others are relatively unknown. Some hackers search the Internet looking for sites that are vulnerable to a newly discovered exploit. When they find a site that is vulnerable, they attack it. The archives reinforce the fact that no organization is exempt from the threat of attack.
This information should be sufficient to make a strong case for putting information security in the forefront of an organization's IT strategy. Most security professionals are already aware of the risks facing IT managers today. However, there is no way security and system administrators can both satisfy their job requirements and proactively secure their systems without user and management support. A good way to gain support is through effective security awareness training that is both convincing and constant. Users need to be continually reminded of the dangers of lax security and what they can and must do to protect against these problems. Security programs and policies must be designed to be easy to use and follow, and they must be enforceable. These guidelines provide a place to start your security program; however, they should be expanded to meet the goals of your company.
[1] Power, Richard. 2001. 2001 CSI/FBI Computer Crime and Security Survey. San Francisco: Computer Security Institute.
[2] Power, Richard. 2001. 2001 CSI/FBI Computer Crime and Security Survey. San Francisco: Computer Security Institute, p. 1.
[3] Power, Richard. 2001. 2001 CSI/FBI Computer Crime and Security Survey. San Francisco: Computer Security Institute.
[4] PRNewswire. 2000. “Study Finds Computer Viruses and Hacking Take $1.6 Trillion Toll on Worldwide Economy.” Wire report, July 7.
[5] Mell, Peter, and John Wack. 2000. “Mitigating the Hacker Threat.” Accessed on July 18, 2000, at the National Institute of Standards and Technology Web site, http://csrc.nist.gov/publications/nistbul/itl00-06.txt.