Fear drives irrational security decisions

[InfoSec News <isn () c4i org>]

http://www.globetechnology.com/servlet/story/RTGAM.20030605.gtwkapi/BNStory/Front/

By JACK KAPICA
jkapica () globeandmail ca
Globe and Mail Update 
Jun. 5, 2003  

It was bad enough that, before 2001, security companies that had
products and services to sell generated most of the fear of being
hacked on the Internet. But after the 9/11 terrorist attacks, things
got wonky. Prophets of doom appeared at every corner, issuing dire
warnings of enormous financial losses. And the U.S. government,
dipping its pen into propaganda, raised the fear factor by creating
the National Strategy to Secure Cyberspace, a list of ''policy
initiatives'' issued by the Bush Administration's Department of
Homeland Security to combat ill-defined threats.

This is not to diminish the damage hackers have done, which is very
real, and the necessity for tighter security as corporations move more
of their valuable business on-line. But with fear running high, it's
tough to make clear-headed decisions about securing systems to
minimize damage.

Delegates flocking to Toronto for the 2003 Infosecurity Conference
this week should be asking themselves about this, especially in light
of the eighth annual Computer Crime and Security Survey, released last
week by the Computer Security Institute and the San Francisco Federal
Bureau of Investigation's Computer Intrusion Squad.

The CSI/FBI survey did more to muddy the waters than to clear them.  
While overall financial losses, as reported by corporate respondents,
had dropped by more than half from the previous year, from
$455-million to $202-million (U.S.), the number of attacks remained
about the same. Not surprisingly, the results were called "disturbing"  
by CSI director Chris Keating, who added that "more must be done" to
improve security.

It's worth examining the results of the CSI/FBI survey because it is
one of the most respected in its field; yet its primary purpose is not
accuracy. Mr. Keating himself said that through the eight years of
conducting the survey, CSI has "delivered on its promise to raise the
level of security awareness" -- in other words, the survey's job is to
promote (or sell) security.

To get a better fix on accuracy, I put the question to Mary Kirwan,
senior director of Mississauga-based Kasten Chase Applied Research,
which specializes in on-line security. Ms. Kirwan, a lawyer by
profession and trained in statistics, expressed misgivings.

She said she had problems with two main areas: the response rate to
the survey, and the kind of people who answered.

The CSI/FBI survey has a historical response rate of between 9 and 15
per cent, too low for accurate analysis. And of that small number --
530 respondents -- only half admitted to cyberattacks, and only 30 per
cent told law enforcement officials about them.

Moreover, statistics for the survey were collected mainly from
corporate security specialists, and they are "usually too far down the
totem pole to report an accurate figure" of their losses, Ms. Kirwan
said; even if qualified, they are hesitant to admit to losses for fear
of damaging their image. While three-quarters of the respondents
reported some financial loss, only 45 per cent would tell the survey
how much.

Also significant, Ms. Kirwan said, was the fact that 22 per cent of
the respondents confessed they didn't even know whether their security
had been breached.

With numbers like these, the results of the survey become questionable
-- but it must be added that they are not entirely inaccurate. The
survey confirmed some broad trends that most specialists in computer
security have been seeing.

Among them is the growing dominance of two kinds of attack: theft of
proprietary information, including identity theft (which caused the
greatest losses, the survey said, at $70-million), and
denial-of-service attacks (the second most expensive computer crime,
amounting to losses of $65-million, up 250 per cent from last year's
losses). The rankings reflect Kasten Chase's own findings.

Ms. Kirwan's experience is that most cases of theft of proprietary
information and identity theft are inside jobs done by disgruntled
employees, and denial-of-service attacks are usually the work of
"script kiddies," young amateur attackers who download a malicious
program from the Internet and launch non-profit attacks purely for
bragging rights to their friends, a form of vandalism.

Corporate interests would therefore be well advised to protect
themselves against random vandalism, using any number of available
measures to ward off denial-of-service attacks. And it's not enough to
install antivirus programs, firewalls and access-control technologies
when the enemy is already behind the firewall, on the payroll and
armed with a legal password; aside from more reliable in-house systems
policies, more effort should be put into a review of corporate
attitudes to their own work forces, into whose hands they have placed
tools of incredible power.

Ms. Kirwan wisely advised that we should not rely on surveys such as
the one put out by CSI/FBI until insurance companies weigh in;  
insurers require hard figures before their underwriters can assess the
risks accurately enough to set premiums. The reason they haven't done
so is because they don't trust the figures.

In the meantime, the steady drumbeat of bad news from security
professionals is adding to a climate of fear. And fear makes for
irrational security decisions.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.