new csi study out on computer crime

[Paul Howell]

at http://www.gocsi.com/prelea990301.htm

Cyber attacks rise from outside and inside corporations

      Dramatic increase in reports to law enforcement

SAN FRANCISCO -- The Computer Security Institute (CSI) announced
today the results of its fourth annual "Computer Crime and Security
Survey." The "Computer Crime and Security Survey" is conducted by CSI
with the participation of the San Francisco Federal Bureau of
Investigation (FBI) Computer Intrusion Squad. The aim of this effort
is to help raise the level of security awareness as well as determine
the scope of computer crime in the United States. Highlights of the
"1999 Computer Crime and Security Survey" include the following:
Corporations, financial institutions and government agencies face
threats from outside as well as inside. 

System penetration by outsiders increased for the third year in a
row; 30% of respondents report intrusions. 

Those reporting their Internet connection as a frequent point of
attack rose for the third straight year; from 37% of respondents in
1996 to 57% in 1999. 

Meanwhile, unauthorized access by insiders also rose for the third
straight year; 55% of respondents reported incidents. 

Other types of cyber attack also rose. For example, 26% of
respondents reported theft of proprietary information (an increase of
8% over 1998). 

Perhaps the most striking result of the 1999 CSI/FBI survey is the
dramatic increase in the number of respondents reporting serious
incidents to law enforcement: 32% of respondents did so, a
significant increase over the three prior years, in which only 17%
had reported such events to the authorities. 

For the third straight year, financial losses due to computer
security breaches mounted to over a $100,000,000. Although 51% of
respondents acknowledge suffering financial losses from such security
breaches, only 31% were able to quantify their losses. The total
financial losses for the 163 organizations that could put a dollar
figure on them add up to $123,779,000. 

The most serious financial losses occurred through theft of
proprietary information (23 respondents reported a total of
$42,496,000) and financial fraud (27 respondents reported a total of
$39,706,000). 

Summary data for responses to all 1999 survey questions and a table
displaying financial losses due to various types of security breachrs
reported in 1997, 1998 and 1999 accompany this press release. 

Although these survey results indicate a wide range of computer
security breaches, perhaps the most disturbing trend is the continued
increase in attacks from outside the organization. This trend was
reinforced by other survey results. For example, of those who
acknowledged unauthorized use, 43% reported from one to five
incidents originating outside the organization, and 37% reported from
one to five incidents originating inside the organization. 

Further evidence of increased system penetration from the outside can
be gleaned from a series of questions on WWW sites and electronic
commerce that were asked for the first time this year. Ninety-six
percent of respondents have WWW sites, 30% provide electronic
commerce services. Twenty percent had detected unauthorized access or
misuse of their WWW sites within the last 12 months (disturbingly,
33% answered "don't know.") 

Of those who reported unauthorized access or misuse, 38% reported
from two to five incidents, and 26% reported 10 or more incidents.
Thirty-eight percent reported that the unauthorized access or misuse
came from outside. Several types of attack were specified: 98%
reported vandalism, 93% reported denial of service, 27% reported
financial fraud, 25% reported theft of transaction information. Only
12 of the 95 respondents who had their WWW sites attacked could
quantify their financial losses. The total losses for the 12
respondents totaled $2,383,000 (an average of $198,583 in financial
losses for each respondent.) 

Based on responses from 521 security practitioners in U.S.
corporations, government agencies, financial institutions and
universities, the findings of the "1999 Computer Crime and Security
Survey" confirm trends established over the last three annual
surveys. It is clear that computer crime and other information
security breaches pose a growing threat to U.S. economic
competitiveness and the rule of law in cyberspace. It is also clear
that the financial cost is tangible and alarming. 

Sixty-two percent of respondents reported computer security breaches
within the last twelve months. 

The breaches detected by respondents include a diverse array of
serious attacks, several of which rose in the number of reports from
1998 to 1999; for example, system penetration by outsiders,
unauthorized access by insiders and theft of proprietary information
as mentioned above. Here are some other examples. Denial of service
attacks were reported by 32%. 

Sabotage of data or networks was reported by 19%. 

Financial fraud was reported by 14%. 

Insider abuse of Internet access privileges (for example, downloading
pornography or pirated software or engaging in inappropriate use of
e-mail systems) was reported by 97%. 

This increase indicates that the danger of entanglement in civil
liability suits is also on the rise. 

Virus contamination was reported by 90%. 

Laptop theft was reported by 69%. Summary data for responses to all
1999 survey questions, and a table displaying financial losses due to
various types of security breaches reported in 1997, 1998 and 1999
accompany this press release. 

Patrice Rapalus, CSI director, suggests that organizations pay more
attention to information security staffing and training. "It is
interesting to note that while many respondents answered 'yes' to the
use of sophisticated security technologies, serious breaches continue
to increase. It is also significant that so many respondents answered
'don't know' to whether or not their WWW sites had been attacked.
Corporations and government agencies that want to survive in the
'Information Age' simply have to dedicate more resources to staffing
and training of information security professionals. Furthermore,
information security professionals who want to succeed have to
increase their own level of technical acumen in order to face the
challenges ahead." 

Michael A. Vatis, Director of the National Infrastructure Protection
Center, FBI headquarters, Washington, D.C., observed that "this
year's CSI/FBI study confirms the need for industry and government to
work together to address the growing problem of computer intrusions
and cyber crime generally. Only by sharing information about
incidents, and threats, and exploited vulnerabilities can we begin to
stem the rising tide of illegal activity on networks and protect our
nation's critical infrastructure from destructive cyber attacks."