Malicious attacks on corporate computer systems are growing increasingly sophisticated, resulting in reported financial losses to U.S. companies of nearly half a billion dollars, according to experts at Carnegie Mellon University and the Computer Security Institute.
In a report released in April, the CERT Coordination Center says the speed of attack tools is increasing and that they are more difficult to detect via antivirus software and intrusion detection systems. Based in Pittsburgh, CERT is a center of Internet security expertise at the Software Engineering Institute, operated by Carnegie Mellon. The center studies Internet security vulnerabilities and publishes security alerts.
The Computer Security Institute, based in San Francisco, says in its seventh annual Computer Crime and Security Survey that “the threat from computer crime and other information security breaches continues unabated andthe financial toll is mounting.” CSI is an association of information security professionals.
The survey, conducted by CSI with the participation of the San Francisco Federal Bureau of Investigations Computer Intrusion Squad, polled 503 computer security professionals in U.S. corporations, government agencies, financial institutions, medical institutions and universities. CSI says 90% of respondentsprimarily large corporations and government agenciesreported experiencing computer security breaches in the last 12 months, while 80% acknowledged financial losses due to breaches.
The 44% of respondents (223) who were willing and/or able to quantify financial losses reported a total of $455,848,000 lost, says CSI. The most serious losses occurred from theft of proprietary information (26 respondents reported a total of $170,827,000) and financial fraud (25 respondents reported a total of $115,753,000).
While conventional wisdom holds that attacks occur more often from within an organization than from outside, the survey showed the opposite. For the fifth year in a row, more respondents (74%) cited their Internet connection as a frequent point of attack than cited their internal systems as the point of attack (33%), says CSI.
“Its not that inside attacks are diminishing,” explains Patrice Rapalus, director of CSI, “but outside attacks are growing.” Sometimes it may be difficult to tell if an attack is coming from inside a company or outside if, for example, an employee working at home launches an attack. “If the attack comes from a contractor working for you, was that from inside or outside?” she adds.
The survey also found that 40% of respondents had detected system penetration from outside and 40% detected denial-of-service attacks. In addition, 85% said they had detected computer viruses.
Meanwhile, 70% of those attacked reported some vandalism to their Web sites, as compared with 64% in 2000. Rapalus attributes that increase to the continuing growth of connectivity. “Everyone has computers,” she notes. “You still have your stereotypical teenagers defacing Web sites, but more connectivity leads to more of these kinds of things.”