In the first part of the look at the 11th Annual CSI/FBI survey, we looked at the makeup of the survey as well as the financial costs of security. In this article we'll look at the nitty-gritty of security and the trends of where things are going.
So, where are things really headed?
The percentage of cybersecurity breaches declined 4 percent from last year. At the same time there was an increase of 7 percent in the number of those that believe no unauthorized access occurred. But while overall attacks dropped, it's interesting to note that for those that reported attacks, the number of those that reported 10 or more has increased over the last 3 years. This makes me wonder if people are paying attention to what causes the attacks and actually dealing with them. At AntiOnline we often see people asking how to deal with attacks and sometimes they are told to just format and start from scratch.
This response isn't really a good one, especially with regards to businesses. It's better to figure out what caused the attack and patch up that hole, whatever that "patch" might be. If we just re-install then the same hole is still open for someone to use and exploit. Sometimes we know about it in advance, for example, Microsoft's recent PowerPoint exploit that was addressed in August even though remained wide open for part of July.
In an interesting twist, while about a third of respondents felt that their threats came from external sources, there was a large portion that felt some aspect of an attack came from internal sources. This belief that attacks are largely internal indicates that things are reverting back to where they were prior to the widespread use of the Internet, which, for a brief period, saw most of the attacks coming from external sources. Additionally, the number of those that didn't know if they were compromised has also consistently decreased as well. This may indicate more knowledge or awareness of security issues.
So, what kinds of attacks are occurring? Viruses top the list at 65 percent. Denial of Service (DoS) attacks have steadily decreased. This may be due to the fact that there is no benefit for most attacker to launching a DoS. It's a bit passe for some and often viewed as "script kiddish" by most. I suspect that many attackers today still desire easy glory, but generally not the kind that is generated by script kiddie behavior. There were minor increases in system penetration, financial fraud and web site defacement.
It was interesting to note that web site defacements had almost 60 percent of respondents reporting 10 or more such defacements. Old habits die hard, apparently. Some companies need to learn from their past mistakes and prevent these simple attacks. As I said earlier, it's not just a matter of putting the site back or reverting to a previous state, but determining how the attack occurred and patching to prevent it from happening again.
Financially speaking, losses decreased. Virus attacks accounted for about $15 million. What I found surprising is that this number should have been dwarfed by the privacy violations that occurred last year. Theft of propriety information was only $6 million and unauthorized access to information was just over $10 million. It was noted that losses due to say negative publicity were likely not included. This would explain why privacy violations didn't amount to more than virus attacks.
Companies are trying to use multiple technologies to protect what it's important. Virus protection and firewalls remain the top tools at 97 percent and 98 percent respectively. I would question how well that virus protection is working since it remains the highest attack source. Something is definitely not configured properly. Perhaps the complacency is that we're so used to viruses we just shrug and let them happen since they are a fact of life in the Windows world. Spyware detection tools have climbed to a healthy third spot but lags behind anti-virus protection. We'll probably see this climb higher next year as new forms of spyware permeates through companies.
This year the survey specifically asked the question of internal and external auditing. While the majority of auditing is done from an internal point of view, some are looking to external sources to perform the audit. It does raise the question that if 70 percent or more of respondents believe that attacks come from internal sources (a varying degree certainly), why would we rely largely on internal sources to perform those audits? It's like believing that security guards for the bank are the ones complicit in a bank heist yet allow them develop plans on how to protect the bank.
It was nice, however, to see a variety of monitoring activities being done (from audits to monitoring of email and web activity). Only 5 percent claimed that they were not evaluating their security effectiveness.
Tools, of course, are only part of the equation. The other side of this coin is training and awareness.
It is evident that many organizations believe that there isn't enough being done to make employees aware of security. For many companies, the main issue is complexity. While we may try to make things more transparent for the average user, the reality is that we need to explain some of the complexities of what happens in the background (it's not all just magic, you know?).
Awareness and training seems to focus on security policies, network security and security management. This doesn't mean that policies were the main focus. Technologies certainly did round out the rest of the training overall, with cryptology coming in last at 35 percent, which as an aside, makes me wonder about the usefulness of Bachelor's of Information Security that focus solely on cryptology as the basis of the degree.
It's also interesting to note that companies are pulling out of information sharing organizations. The idea of full disclosure seems to be waning for some, probably propelled by the concept of negative publicity. It seems that the primary response to a security breach is to patch the system. The idea of pursuing legal avenues seems still something that isn't widely pursued. Sure, the figures have gone up from last year, but still remains below what was first reported several years ago at 30 percent. The fear of negativity publicity still remains the reason why. And it's not surprising, given recent events in regards to private information violations of late that have resulted in class-action lawsuits. Over three-quarters were well aware of why law enforcement needs to hear it but still preferred to not report it.
Sarbanes-Oxley made an even bigger impact this year with more respondents indicating that it raised the level of interest in security. This Act has probably done more to improve security than most realize. I suspect we'll see even more of a SOX effect next year as organizations continue to get up to speed.
The survey included an open-ended question as to what is the most critical security issue an organization will face over the next couple of years. Viruses and worms only came in at fourth place (and yet, it's the number one form of attack). Data protection and application software vulnerabilities were number one. Not surprising since these are the items that get the most attention.
Perhaps it's time we started breaking our old habits and adopt new ones that addresses issues that really shouldn't be issues. Shouldn't viruses and worms be a passé form of attack in this day and age of robust computing and systems management?
I guess we'll find out next year.This article was first published on EnterpriseITPlanet.com.