Re: Statistics

["Steve" <securityfocus () delahunty com>]

Try some of the papers here http://www.nw3c.org/research_topics.html.  I
also read some good stats in a presentation once that cited the National
Center for Computer Crime Data but I couldn't find their information online
easily.  One issue with statistics available is that it is estimated 85% of
computer crimes detected are never reported.  So

Issues: insiders are trusted and have access to physical and electronic
intellectual property.
Motivations: financial gain, revenge, curiousity, challenge.

Current employees become former employees which is a major group of
potential perpetrators.  Also, for insider threats, in my opinion consider
the increasing knowledge of the typical employee in terms of computer
aptitute coupled with the availability of hacker type tools freely on the
Internet.

When working at a government contractor in the 1990s, we had an employee who
downloaded the tool satan and was probing government sites.  We had static
IPs, was not hard to find him.  He claimed he was just experimenting, his
job in no way involved using such tools, he was lucky to not get fired.  We
tracked him down after hearing from our corporate security group who was
contacted by some extremely powerful government agency.

On the topic, I have had thoughts of having a firewall between the employees
and our datacenter.  Think about when your professional staff are offsite
and on another company network as part of their job, they get infected by
nimda or something, then they return to your network and "jack in" and
infect a bunch of other machines.  Sure we should all have software
firewalls on all employee computers but then again there is reality where
most of our organizations probably do not have that except for maybe
laptops.  So even if the laptops are protected, one infected laptop once
inside our network could infect the desktops.  This is where intrusion
detection comes and and related alerting.




----- Original Message ----- 
From: "Alessandro Bottonelli" <abottonelli () libero it>
To: "Jack Solomon" <solzjack43 () hotmail com>;
<security-basics () securityfocus com>
Sent: Tuesday, November 25, 2003 7:22 AM
Subject: Re: Statistics


On Monday 24 November 2003 16:57, Jack Solomon wrote:
> I often hear statistics bandied around like 85% of attacks are internal.
> Can anyone point to a reliable/quotable source of stats?
82% Internal (of which 55% accidental) are quoted from a research (not
public) of either Ernst&Young or Datapro--can't remember right now which
one.

> I'd like to prove
> to my cynical managment that we are not safe behind the corporate
> firewall...
Beware! You are right, but this issue is highly political, management
don't like to be told they cannot trust their employees. Make sure YOU know
how to state this.

> Also, I'd be interested in stats on amout of money lost
Hmmm. When it comes to money things are even worse. Insiders have more
opportunity, means and motive to hit you hard. In a research paper of mine
(I
found no one here in Italy available to pubblish it... wonder why) I made
this consideration (which is not by far a statistics):

-1- SQLWORM hits the Italian Post Office. Zero insiders, a unaccounted
number
of outsiders: estimated damage 150,000 Euros

-2- CREDIT CARD CLONING in an Italian (Tuscany) Bank. One insider, five
outsiders: measured damage 1,000,000 Euros

-3- INS OUTSOURCER DESTROYS (willingly) some thousands documents (in order
to
look good on their SLA...). Three insiders, zero outsiders: assessed damage
250,000,000 dollars (the value of the 5-year contract with INS).

Be careful when (if) using this with your management, as we say in Italy:
"wrap it with plenty of vaseline grease ..." <grin>

-- 
Alessandro Bottonelli
CISSP, BS7799 Lead Auditor
www.axis-net.it

---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------