RSA Unveils 'Internet Insecurity Index'

[InfoSec News <isn () c4i org>]

http://siliconvalley.internet.com/news/article.php/2191131

By Michael Singer 
April 15, 2003

SAN FRANCISCO -- You are not as safe surfing the Web this year as you
were last year, according to a recent consensus of online security
experts.

To help keep track of problem, online encryption firm RSA Monday
launched its "Internet Insecurity Index" -- a simple one-to-ten scale
that measures how secure electronic data is each year. Given the
amount of attacks, Jim Bidzos Chairman of Conferences currently ranks
2003 at about a 6 and a half.

"We have gone from a 5 to 6-plus in the last 12 months," Bidzos said
to attendees at the RSA Security conference here Monday. The four-day
forum is designed as a clearinghouse of information about making the
Internet more secure. "Basically, nothing is safe," he said.

Analysts with IDC have already predicted that some major cyber
terrorism event will disrupt economy this year. Bidzos pointed to more
than 62,000 hacking incidents last year as a rally cry for better
safeguards. In addition to commonplace server strikes, Bidzos said ATM
and wireless networks are the new target of hackers. The increasing
amount of incidents recently prompted the CERT Coordination Center to
call 2002 the "golden age of hacking."

"Part of the price is not having security designed in the first
place," Bidzos said. "We found 30 percent of ISPs have no info
security plans in place with 33 percent deciding that online security
is not a priority."

The threat index also identifies last year's $59 billion in data theft
as a major impact on how safe the Internet is. Experts say identity
theft is fastest growing area with Australia citing ID theft as a $4
billion problem. Recently, a New York ring netted that netted $7
million was exposed. Nineteen people were charged.

"It's getting so that Internet fraud growth is exceeding Internet
growth," Bidzos said. "The interesting possibility is that people may
stop doing things online that have to do with e-commerce because of
it."

The one bright area, according to RSA's index report was the U.S.  
government.

Bidzos said the creation of Homeland Security and a national strategy
to secure cyberspace marked a turning point in how the government is
dealing with online threats. California's move to require companies to
publicly disclose security breaches may also have a major impact on
how well companies secure their networks and data.

"If they know that they have to make that security disclosure putting
people on notice that there is a problem, they can't sweep this under
the rug," Bidzos said.

Former Clinton National Security Advisor Samuel "Sandy" Berger said
overall, government supports strong encryption but the government
needs to put its money where its mouth is.

"We have the money to do that (protect cyberspace) because it's
national security," he said.

In related news, the Electronic Privacy Information Center (EPIC) set
up a new Privacy Threat Index to track the growing threat to privacy
resulting from the expansion of government surveillance. The alert
system is similarly structured to the five-color alerts used by the
Department of Homeland Security. Based on developments during the past
year, EPIC assessed the current level as Yellow.

"It will be interesting to see how the two progress," Bidzos said.

In addition to tracking the Internet's insecurity, the conference is
also focused on new Web services security specifications.

The Liberty Alliance Tuesday unveiled drafts of its Phase 2
specifications of its Identity Federation Framework (ID-FF). On Friday
the group submitted its first phase specification to the Organization
for the Advancement of Structured Information Standards (OASIS) for
use in future version of the SAML (define) authentication language.

OASIS said it will define its Application Vulnerability Description
Language (AVDL) as soon as next month. The XML-based technology would
allow communication between products that find, block, fix, and report
application security holes.

The Information Security Systems Association (ISSA) Tuesday also said
it will take over the Generally Accepted Information Security
Principles (GAISP) specification. The former Generally Accepted System
Security Principles (GASSP) standard was authored in response to a
1990 U.S. National Research Council report, "Computers at Risk."




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.