[secedu] [iwar] "Issues and Trends:2000 CSI/FBI Computer Crime and Security Survey,"

[William Knowles <wk () C4I ORG>]

Forwarded by: mea culpa <jericho () dimensional com>

---------- Forwarded message ----------
From: Fred Cohen <fc () all net>
To: secedu () onelist com
Date: Tue, 18 Apr 2000 06:31:30 -0700 (PDT)
Reply-To: secedu () egroups com
Subject: [secedu] [iwar] "Issues and Trends:2000 CSI/FBI Computer Crime and Security Survey," (fwd)

Subject: [iwar] "Issues and Trends:2000 CSI/FBI Computer Crime and Security Survey,"

 Mar 22,2000
 FOR IMMEDIATE RELEASE
 Contact: Patrice Rapalus, Director
 Computer Security Institute
 600 Harrison Street
 San Francisco, CA 94107
 415/905-2310
 Internet: prapalus () cmp com

Ninety percent of survey respondents detect cyber attacks, 273
organizations report $265,589,940 in financial losses.

SAN FRANCISCO -- The Computer Security Institute (CSI) announced today
the results of its fifth annual "Computer Crime and Security Survey."
The "Computer Crime and Security Survey" is conducted by CSI with the
participation of the San Francisco Federal Bureau of Investigation's
(FBI) Computer Intrusion Squad. The aim of this effort is to raise the
level of security awareness, as well as help determine the scope of
computer crime in the United States.

Highlights of the "2000 Computer Crime and Security Survey" include
the following:

Ninety percent of respondents (primarily large corporations and
government agencies) detected computer security breaches within the
last twelve months.

Seventy percent reported a variety of serious computer security
breaches other than the most common ones of computer viruses, laptop
theft or employee "net abuse"--for example, theft of proprietary
information, financial fraud, system penetration from outsiders,
denial of service attacks and sabotage of data or networks.

Seventy-four percent acknowledged financial losses due to computer
breaches.

Forty-two percent were willing and/or able to quantify their financial
losses. The losses from these 273 respondents totaled $265,589,940
(the average annual total over the last three years was $120,240,180).

Financial losses in eight of twelve categories were larger than in any
previous year. Furthermore, financial losses in four categories were
higher than the combined total of the three previous years. For
example, 6I respondents quantified losses due to sabotage of data or
networks for a total of $27,148,000. The total financial losses due to
sabotage for the previous years combined totaled only $10,848,850.

As in previous years, the most serious financial losses occurred
through theft of proprietary information (66 respondents reported
$66,708,000) and financial fraud (53 respondents reported
$55,996,000).

Survey results illustrate that computer crime threats to large
corporations and government agencies come from both inside and outside
their electronic perimeters, confirming the trend in previous years.
Seventy-one percent of respondents detected unauthorized access by
insiders. But for the third year in a row, more respondents (59%)
cited their Internet connection as a frequent point of attack than
cited their internal systems as a frequent point of attack (38%).

Based on responses from 643 computer security practitioners in U.S.
corporations, government agencies, financial institutions, medical
institutions and universities, the findings of the "2000 Computer
Crime and Security Survey" confirm that the threat from computer crime
and other information security breaches continues unabated and that
the financial toll is mounting.

Respondents detected a wide range of attacks and abuses. Here are some
other examples:

25% of respondents detected system penetration from the outside.

27% of respondents detected denial of service attacks.

79% detected employee abuse of Internet access privileges (for
example, downloading pornography or pirated software, or inappropriate
use of e-mail systems).

85% detected computer viruses.

For the second year, we asked some questions about electronic commerce
over the Internet. Here are some of the results:

93% of respondents have WWW sites.

43% conduct electronic commerce on their sites (in 1999, only it was
only 30%).

19% suffered unauthorized access or misuse within the last twelve
months.

32% said that they didn't know if there had been unauthorized access
or misuse.

35% of those acknowledging attack, reported from two to five
incidents.

19% reported ten or more incidents.

64% of those acknowledging an attack reported Web-site vandalism.

60% reported denial of service.

8% reported theft of transaction information.

3% reported financial fraud.

Patrice Rapalus. CSI Director, suggests that the "Computer Crime and
Security Survey," now in its fifth year, has delivered on its promise
to raise the level of security awareness and help determine the scope
of crime in the United States.

"The trends the CSI/FBI survey has highlighted over the years are
disturbing. Cyber crimes and other information security breaches are
widespread and diverse. Ninety percent of respondents reported
attacks. Furthermore, such incidents can result in serious damages.
The 273 organizations that were able to quantify their losses reported
a total of $265,589,940. Clearly, more must be done in terms of
adherence to sound practices, deployment of sophisticated
technologies, and most importantly adequate staffing and training of
information security practitioners in both the private sector and
government."

Bruce J. Gebhardt is in charge of the FBI's Northern California
office. Based in San Francisco, his division covers fifteen counties,
including the continually expanding "Silicon Valley" area. Computer
crime is one of his biggest challenges.

"If the FBI and other law enforcement agencies are to be successful in
combating this continually increasing problem, we cannot always be
placed in a reactive mode, responding to computer crises as they
happen. The results of the CSI/FBI survey provide us with valuable
data. This information not only has been shared with Congress to
underscore the need for additional investigative resources on a
national level but identifies emerging crime trends and helps me
decide how best to proactively, and aggressively assign resources,
before those 'trends' become 'crises.'"

                                               ###

CSI, established in 1974, is a San Francisco-based association of
information security professionals. It has thousands of members
worldwide and provides a wide variety of information and education
programs to assist practitioners in protecting the information assets
of corporations and governmental organizations.

The FBI, in response to an expanding number of instances in which
criminals have targeted major components of information and economic
infrastructure systems, has established the National Infrastructure
Protection Center (NIPC) located at FBI headquarters and the Regional
Computer Intrusion Squads located in selected offices throughout the
United States. The NIPC, a joint partnership among federal agencies
and private industry, is designed to serve as the government's lead
mechanism for preventing and responding to cyber attacks on the
nation's infrastructures. (These infrastructures include
telecommunications, energy, transportation, banking and finance,
emergency services and government operations). The mission of Regional
Computer Intrusion Squads is to investigate violations of Computer
Fraud and Abuse Act (Title 8, Section 1030), including intrusions to
public switched networks, major computer network intrusions, privacy
violations, industrial espionage, pirated computer software and other
crimes

Copyright 2000
Computer Security Institute
600 Harrison Street
San Francisco, CA 94107
Telephone: (415) 905-2626
Fax: (415) 905-2218.

Community email addresses:
  Post message: secedu () onelist com
  Subscribe:    secedu-subscribe () onelist com
  Unsubscribe:  secedu-unsubscribe () onelist com
  List owner:   secedu-owner () onelist com

Shortcut URL to this page:
  http://www.onelist.com/community/secedu

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".