Malicious attacks on corporate computer systems are growing increasingly sophisticated, resulting in reported financial losses to U.S. companies of nearly half a billion dollars, according to experts at Carnegie Mellon University and the Computer Security Institute.

In a report released in April, the CERT Coordination Center says the speed of attack tools is increasing and that they are more difficult to detect via antivirus software and intrusion detection systems. Based in Pittsburgh, CERT is a center of Internet security expertise at the Software Engineering Institute, operated by Carnegie Mellon. The center studies Internet security vulnerabilities and publishes security alerts.

The Computer Security Institute, based in San Francisco, says in its seventh annual Computer Crime and Security Survey that “the threat from computer crime and other information security breaches continues unabated andthe financial toll is mounting.” CSI is an association of information security professionals.

The survey, conducted by CSI with the participation of the San Francisco Federal Bureau of Investigations Computer Intrusion Squad, polled 503 computer security professionals in U.S. corporations, government agencies, financial institutions, medical institutions and universities. CSI says 90% of respondentsprimarily large corporations and government agenciesreported experiencing computer security breaches in the last 12 months, while 80% acknowledged financial losses due to breaches.

The 44% of respondents (223) who were willing and/or able to quantify financial losses reported a total of $455,848,000 lost, says CSI. The most serious losses occurred from theft of proprietary information (26 respondents reported a total of $170,827,000) and financial fraud (25 respondents reported a total of $115,753,000).

While conventional wisdom holds that attacks occur more often from within an organization than from outside, the survey showed the opposite. For the fifth year in a row, more respondents (74%) cited their Internet connection as a frequent point of attack than cited their internal systems as the point of attack (33%), says CSI.

“Its not that inside attacks are diminishing,” explains Patrice Rapalus, director of CSI, “but outside attacks are growing.” Sometimes it may be difficult to tell if an attack is coming from inside a company or outside if, for example, an employee working at home launches an attack. “If the attack comes from a contractor working for you, was that from inside or outside?” she adds.

The survey also found that 40% of respondents had detected system penetration from outside and 40% detected denial-of-service attacks. In addition, 85% said they had detected computer viruses.

Meanwhile, 70% of those attacked reported some vandalism to their Web sites, as compared with 64% in 2000. Rapalus attributes that increase to the continuing growth of connectivity. “Everyone has computers,” she notes. “You still have your stereotypical teenagers defacing Web sites, but more connectivity leads to more of these kinds of things.”

CSI says 12% of respondents reported theft of transaction information, a figure Rapalus says is “related to all of the e-commerce thats going on.” She says organizations with credit card databases are often attacked and the stolen data can then be used to make purchases.

The CERT report, meanwhile, says more advanced scanning tools are being used by attackers in looking for potential victims, maximizing the impact and speed of the attacks. Some tools “exploit vulnerabilities as part of the scanning activity, which increases the speed of propagation,” the report notes.

In addition, todays attack tools can self-initiate new attacks without human intervention. “We have seen tools like Code Red and Nimda self-propagate to a point of global saturation in less than 18 hours,” says CERT.

New attack tools may avoid detection using techniques that hid their nature, the report says. “Todays automated attack tools can vary their patterns and behaviors based on random selection, predefined decision paths, or through direct intruder management,” writes CERT. In addition, such tools can be rapidly upgraded. “This causes rapidly evolving attacks and, at the extreme, polymorphic tools that self-evolve to be different in each instance.”

CERT also reports that the number of newly discovered systems vulnerabilities reported to it “continues to more than double each year. It is difficult for administrators to keep up with patches.”

On a still more ominous note, the report says technologies are currently being designed to bypass the firewalls that are the primary line of defense against intrusion for most companies.

“There is much more illegal and unauthorized activity going on in cyberspace than corporations admit to their clients, stockholders and business partners, or report to law enforcement,” says Rapalus. “Incidents are widespread, costly and commonplace.”

“The trends seen by CERT/CC indicate that organizations relying on the Internet face significant challenges to ensure that their networks operate safely and that their systems continue to provide critical services even in the face of attack,” the CERT report concludes.


Reproduced from National Underwriter Life & Health/Financial Services Edition, June 17, 2002. Copyright 2002 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.