Information Security News mailing list archives
[secedu] [iwar] "Issues and Trends:2000 CSI/FBI Computer Crime and Security Survey,"
From: William Knowles <wk () C4I ORG>
Date: Thu, 8 Jun 2000 10:34:21 -0500
Forwarded by: mea culpa <jericho () dimensional com> ---------- Forwarded message ---------- From: Fred Cohen <fc () all net> To: secedu () onelist com Date: Tue, 18 Apr 2000 06:31:30 -0700 (PDT) Reply-To: secedu () egroups com Subject: [secedu] [iwar] "Issues and Trends:2000 CSI/FBI Computer Crime and Security Survey," (fwd) Subject: [iwar] "Issues and Trends:2000 CSI/FBI Computer Crime and Security Survey," Mar 22,2000 FOR IMMEDIATE RELEASE Contact: Patrice Rapalus, Director Computer Security Institute 600 Harrison Street San Francisco, CA 94107 415/905-2310 Internet: prapalus () cmp com Ninety percent of survey respondents detect cyber attacks, 273 organizations report $265,589,940 in financial losses. SAN FRANCISCO -- The Computer Security Institute (CSI) announced today the results of its fifth annual "Computer Crime and Security Survey." The "Computer Crime and Security Survey" is conducted by CSI with the participation of the San Francisco Federal Bureau of Investigation's (FBI) Computer Intrusion Squad. The aim of this effort is to raise the level of security awareness, as well as help determine the scope of computer crime in the United States. Highlights of the "2000 Computer Crime and Security Survey" include the following: Ninety percent of respondents (primarily large corporations and government agencies) detected computer security breaches within the last twelve months. Seventy percent reported a variety of serious computer security breaches other than the most common ones of computer viruses, laptop theft or employee "net abuse"--for example, theft of proprietary information, financial fraud, system penetration from outsiders, denial of service attacks and sabotage of data or networks. Seventy-four percent acknowledged financial losses due to computer breaches. Forty-two percent were willing and/or able to quantify their financial losses. The losses from these 273 respondents totaled $265,589,940 (the average annual total over the last three years was $120,240,180). Financial losses in eight of twelve categories were larger than in any previous year. Furthermore, financial losses in four categories were higher than the combined total of the three previous years. For example, 6I respondents quantified losses due to sabotage of data or networks for a total of $27,148,000. The total financial losses due to sabotage for the previous years combined totaled only $10,848,850. As in previous years, the most serious financial losses occurred through theft of proprietary information (66 respondents reported $66,708,000) and financial fraud (53 respondents reported $55,996,000). Survey results illustrate that computer crime threats to large corporations and government agencies come from both inside and outside their electronic perimeters, confirming the trend in previous years. Seventy-one percent of respondents detected unauthorized access by insiders. But for the third year in a row, more respondents (59%) cited their Internet connection as a frequent point of attack than cited their internal systems as a frequent point of attack (38%). Based on responses from 643 computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions and universities, the findings of the "2000 Computer Crime and Security Survey" confirm that the threat from computer crime and other information security breaches continues unabated and that the financial toll is mounting. Respondents detected a wide range of attacks and abuses. Here are some other examples: 25% of respondents detected system penetration from the outside. 27% of respondents detected denial of service attacks. 79% detected employee abuse of Internet access privileges (for example, downloading pornography or pirated software, or inappropriate use of e-mail systems). 85% detected computer viruses. For the second year, we asked some questions about electronic commerce over the Internet. Here are some of the results: 93% of respondents have WWW sites. 43% conduct electronic commerce on their sites (in 1999, only it was only 30%). 19% suffered unauthorized access or misuse within the last twelve months. 32% said that they didn't know if there had been unauthorized access or misuse. 35% of those acknowledging attack, reported from two to five incidents. 19% reported ten or more incidents. 64% of those acknowledging an attack reported Web-site vandalism. 60% reported denial of service. 8% reported theft of transaction information. 3% reported financial fraud. Patrice Rapalus. CSI Director, suggests that the "Computer Crime and Security Survey," now in its fifth year, has delivered on its promise to raise the level of security awareness and help determine the scope of crime in the United States. "The trends the CSI/FBI survey has highlighted over the years are disturbing. Cyber crimes and other information security breaches are widespread and diverse. Ninety percent of respondents reported attacks. Furthermore, such incidents can result in serious damages. The 273 organizations that were able to quantify their losses reported a total of $265,589,940. Clearly, more must be done in terms of adherence to sound practices, deployment of sophisticated technologies, and most importantly adequate staffing and training of information security practitioners in both the private sector and government." Bruce J. Gebhardt is in charge of the FBI's Northern California office. Based in San Francisco, his division covers fifteen counties, including the continually expanding "Silicon Valley" area. Computer crime is one of his biggest challenges. "If the FBI and other law enforcement agencies are to be successful in combating this continually increasing problem, we cannot always be placed in a reactive mode, responding to computer crises as they happen. The results of the CSI/FBI survey provide us with valuable data. This information not only has been shared with Congress to underscore the need for additional investigative resources on a national level but identifies emerging crime trends and helps me decide how best to proactively, and aggressively assign resources, before those 'trends' become 'crises.'" ### CSI, established in 1974, is a San Francisco-based association of information security professionals. It has thousands of members worldwide and provides a wide variety of information and education programs to assist practitioners in protecting the information assets of corporations and governmental organizations. The FBI, in response to an expanding number of instances in which criminals have targeted major components of information and economic infrastructure systems, has established the National Infrastructure Protection Center (NIPC) located at FBI headquarters and the Regional Computer Intrusion Squads located in selected offices throughout the United States. The NIPC, a joint partnership among federal agencies and private industry, is designed to serve as the government's lead mechanism for preventing and responding to cyber attacks on the nation's infrastructures. (These infrastructures include telecommunications, energy, transportation, banking and finance, emergency services and government operations). The mission of Regional Computer Intrusion Squads is to investigate violations of Computer Fraud and Abuse Act (Title 8, Section 1030), including intrusions to public switched networks, major computer network intrusions, privacy violations, industrial espionage, pirated computer software and other crimes Copyright 2000 Computer Security Institute 600 Harrison Street San Francisco, CA 94107 Telephone: (415) 905-2626 Fax: (415) 905-2218. Community email addresses: Post message: secedu () onelist com Subscribe: secedu-subscribe () onelist com Unsubscribe: secedu-unsubscribe () onelist com List owner: secedu-owner () onelist com Shortcut URL to this page: http://www.onelist.com/community/secedu ISN is sponsored by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- [secedu] [iwar] "Issues and Trends:2000 CSI/FBI Computer Crime and Security Survey," William Knowles (Jun 08)