Despite investing in a variety of security technologies, enterprises continue to suffer network attacks at the hands of malware writers and inside operatives, according to an annual FBI report released today. Many security incidents continue to go unreported.
The 2005 FBI Computer Crime Survey was taken by 2,066
organizations in Iowa, Nebraska, New York, and Texas late last spring,
which survey organizers deemed a good sample of enterprises nationwide.
The report is designed to "gain an accurate understanding" of computer
security incidents experienced "by the full spectrum of sizes and types
of organizations within the United States," the FBI said. The
23-question survey addressed such issues as the computer security
technologies enterprises use, what kinds of security incidents they've
suffered and what actions they've taken. The survey is not the same as the CSI/FBI Computer Crime and
Security Survey, which has been conducted for several years and has a
somewhat different focus, method and restricted number of respondents,
the FBI said.
Among the findings:
- Security software and hardware failed to prevent more than 5,000
incidents among those surveyed. Eighty-seven percent of respondents
said they experienced some type of incident.
- A common point of frustration among respondents came from the nonstop barrage of viruses, Trojans, worms and spyware.
- Use of antivirus, antispyware, firewalls and antispam software is
almost universal among those who responded. But the software apparently
did little to stop malicious insiders.
- Of the intrusion attempts coming from outside the organizations,
the most common countries of origin included the United States, China,
Nigeria, Germany, Russia and Romania.
- New York had the lowest percentage of organizations
experiencing unauthorized access, but it had the highest percentage of
those experiencing insider abuse, laptop theft, telecom fraud, viruses
and Web site defacement. Austin was home to the organizations most
likely (more than 91%) to have at least one type of computer security
incident.
- Of those admitting they didn't alert the authorities after a
security breach, about 700 respondents said there was no criminal
activity, almost an identical number indicated the incident was too
small to report and 329 (23%) thought law enforcement wouldn't be
interested.
The report quotes a number of high-profile security experts, including Eugene Spafford,
a computer science professor at Purdue University, advisor to
presidents Bill Clinton and George W. Bush and director of the Center
for Education and Research in Information Assurance and Security
(CERIAS) and Frank Abagnale, a former conman whose crimes inspired the memoir and movie "Catch Me If You Can."
"I continue to be surprised, not at the variety of incidents,
but at the magnitude of flaws in deployed systems and the subsequent
attacks and losses, all of which are accepted as business as usual,"
Spafford said. "So long as we continue to apply patches and spot
defenses to existing problems, the overall situation will continue to
deteriorate. Without a significant increase in focus and funding for
both long-term cybersecurity research and more effective law
enforcement, we can only expect more incidents and greater losses year
after year."
12:36:01 PM  PermaLink /
|
|
