Final Words

Statistics compiled by CERT show that security violations are more than doubling in number every year. Reported incidents rose from 3,934 in 1998 to 9,859 in 1999, then to 21,1756 in 2000 and 52,658 in 2001. The first quarter of 2002 alone saw another 26,829 reported incidents. Even more frightening, many violations aren't reported because they are never detected. While 38 percent of CSI's 2002 survey respondents reported unauthorized use of their Web sites for the previous year, another 21 percent reported that they honestly didn't know whether or not their sites had been compromised.

With statistics like that, it is easy to see that even if you have no reason to believe that your company has ever experienced a break-in, you may have been the victim of an attack that went unnoticed. In a truly classic study, the Department of Defense (DOD) conducted a test that illustrates just how rarely break-ins are detected and reported (Figure 1-4). This particular test set out to attack 8,932 computers. Of those targeted systems, the attacks succeeded in breaking into 7,860 systems nearly 88 percent. Yet, only 19 of those attacks were reported less than .003 percent!

Figure 1-4. DOD Test Shows Break-ins Rarely Reported

Source: Defense Information Systems Agency

graphics/018fig01.gif

Dan Farmer (a well-known computer security researcher) conducted a security survey on high-profile, commerce-oriented World Wide Web Internet sites. The results showed that serious security vulnerabilities exist on the Internet. Out of 1,700 Web servers targeted in this study, over 60 percent of the systems could be broken into or destroyed, and only three sites even noticed the probe.

In the rush to get your systems connected to the Internet, you may also have forgotten about security. Your system may even be in that vulnerable 60 percent. If you're not sure of the current security controls on your Web server (or any other system), conduct a security audit, or call a security expert to evaluate your site for you.

The DOD and Dan's test were both completed several years ago. It is hard to say how many companies today would detect these attacks. Many sites have installed intrusion-detection software and are looking for attacks. If your company has not installed software to detect attacks, it needs to. Don't wait for your company name to be mentioned on CNN.



IT Security. Risking the Corporation
IT Security: Risking the Corporation
ISBN: 013101112X
EAN: 2147483647
Year: 2003
Pages: 73

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net