Security, Computer Crimes Still Bane of IT
- By Kathleen Ohlson
Robert Richardson is the editorial director of the Computer Security Institute,
which provides training to computer, information and network security professionals.
A recent survey by CSI, along with the FBI’s Computer Intrusion Squad,
focused on computer crimes and security. During an interview with ADT, Richardson
examines how companies are tackling these issues.
Q: Were there any surprises in the survey? What were they and why did
A: There was certainly nothing that was so shocking that I rubbed my eyes and
looked again. It was interesting to see average losses [related to cybercrimes]
The thing that I thought was maybe interesting—where’s the big
action at—is crime more targeted to consumers and users: phishing, various
e-mail scams, viruses and root kit payloads. Companies see these kinds of attacks
better than consumers because they can stop them at the perimeters. Losses are
shifting to identity fraud, and assuming this is the case, organizations get
attacked, but more attacks are going to databases to get to users. What was
interesting in the survey was out of all the categories, financial losses went
up sharply regarding unauthorized access to information (average loss per respondent
climbed from $51,545 in 2004 to $303, 234 in 2005) and theft of proprietary
information (the average loss per respondent increased from $168,529 in 2004
to $355,552 in 2005).
Q: Any new issues crop up this year?
A: We started tracking last year…[the abuse of] wireless networks. It
moved up a little bit in percentage of respondents who suffer that kind of problem,
but it was not unexpected, though.
Honestly, I think the one thing that seems to occur separately is the percentage
of respondents who experience Web site incidents: they’re not identified—something
happens to the Web server that security responds to. The shift was in the number
of incidents; respondents had incidents, either from one to five or more than
10. Many had one to five [incidents] last year, but 95 percent say they had
more than 10 this year.
Why the shift? I have couple of theories. Web incidents are not that expensive,
economically speaking, so you would expect companies to focus energy on areas
where high loss was strong. You cut losses on Web site protection, but that
leaves defenses open where hackers gain skills [and find holes].
Q: With public and major security breaches, ChoicePoint and LexisNexis
come to mind, are companies heeding the need for security?
A: There was a significant climate change around 9/11. Combining 9/11 and Enron,
security became everybody’s buzzword to justify spending something. Congress
enough of the malfeasance, and drafted legislation, the principle piece being
Sarbanes-Oxley. A significant chunk of that law is auditing, keeping [corporations]
honest and ensuring data is secure. Publicly traded companies must adhere to
[SOX], and that coupled with HIPAA legislation…forced organizations to
really meet these requirements.
The budgets we’re seeing may in fact be adequate. We ask how much IT budget
goes to security, and if [companies] don’t have a budget or separate line
items for IT security, that’s a bad sign.
Q: The survey mentions that total losses decreased from last year,
especially the costs of fending off attacks. Why is that happening?
A: There was a bunch of different categories all in decline this year. Viruses
are the most prevalent kinds of attacks, and the amount of attacks and cost
has dropped. For a run-of-the-mill virus, corporations are much, much better
at stopping them at the perimeter. The only time things survive is if end users
and consumers are not up to date. The cost to corporations is really more if
a road warrior heads on the road, they’re in a hurry and download a virus,
and they have to wait to get it removed at the shop. I think the hackers are
working on phishing, and it’s all about spam and phishing right now.
Q: The survey also highlighted that costs in other areas are rising,
especially regarding unauthorized access. What’s changed from last year?
A: Why is it getting more expensive, that’s a good question, and I don’t
have a good answer. It seems the nature of the crimes is much more focused on
getting in there and stealing stuff. The profile of the hacker has really changed,
before they would write a virus…and now they work for a crime syndicate
and steal credit card information.
Q: Besides taking security more seriously, what do companies need to
do differently than what they’re doing now?
A: Security is a long-term commitment and companies have to work with it over
time, when they do take it as a long-term thing, they’ll see the results.
Most hackers’ intent is on phishing scams, chasing the money and low-hanging
fruit—people tricked into giving their bank accounts. It’s easier
to trick my mother than it is Citicorp; individuals are less electronically
defended, and any individual is more susceptible. The theory, which I happen
to think is true, is there are so many hours in a hacker’s day.
Kathleen Ohlson is senior editor at Application Development Trends magazine.