Over-Confidence is Pervasive amongst Security Professionals

Business Wire, Sept 11, 2007

2007 E-Crime Watch Survey shows security incidents, electronic crimes and their impact steady versus last year

FRAMINGHAM, Mass. -- CSO magazine today releases results of the 2007 E-Crime Watch Survey. This year's study revealed that while security events and electronic crimes were steady against last year's findings, there are real concerns that security executives may be becoming over confident.

Conducted with the U.S. Secret Service, Carnegie Mellon University Software Engineering Institute's CERT[R] Program and Microsoft Corp., the fourth annual survey polled 671 security executives and law enforcement officials on a variety of security topics, including commitment to security, the source of e-crimes, the top e-crimes professionals are experiencing, methods of attack, security technologies being deployed to defend against attacks, and the legal steps organizations are taking after they've been attacked.

"There is little doubt that organizations have learned a tremendous amount about security in the last five years and are making serious headway in understanding and combating threat," said Bob Bragdon, publisher of CSO Magazine. "At the same time, we saw signs in this study that organizations think they have things handled, which is concerning given the recent rise in targeted, financially motivated attacks."

A key indication of the study was that while 57% of participants said they are increasingly concerned about the potential effects of e-crime, and 49% of them reported experiencing an e-crime in 2006 vs. 38% the prior year, other responses suggested they are not prioritizing security as much as they have in previous years. For example, 69% of respondents said they are more prepared to deal with those threats than they have been in the past, yet these same organizations said they've trimmed spending on IT security by 5% and corporate security by 15%.

"You should never let down your guard when it comes to cybersecurity," said Jeff Jones, director of Trustworthy Computing for Microsoft. "Crime is a fact of life in the digital world just as it is in the physical world; even with the best security posture, you must still steadily guard against potential threat."

The Source of Crimes: Insiders, Outsiders and the Unknown

Part of guarding against threat is understanding its source, and so the survey posed several questions to compare cybercrimes by insiders and outsiders.

When asked who caused more damage (in terms of cost or operations), results were fairly close (insiders 34%, outsiders 37%, unknown 29%). But by their actions, participants indicated they may not be giving as much attention to insider threats as would seem justified. For example, background checks dropped from use in 73% of the organizations last year to only 57% this year, account/ password management policies dropped from 91% of the organizations last year to 84% this year, employee monitoring from 59% to 42%, and employee security awareness training from 68% last year to 38% this year.

"It is important that organizations are proactive in their approach to mitigating insider threats," says Dawn Cappelli, Senior Member of the Technical Staff at CERT. "Defense-in-depth isn't just about putting adequate technology in place, it's also about paying attention to your people and implementing policies and procedures to reduce the likelihood of an insider attack. Our research has shown that those very policies and practices that respondents are cutting back on are critical in mitigating insider threats"

The potential for damage from an insider attack is clear. Three of the top four e-crimes experienced this year were widespread attacks not targeted at an individual organization; insider attacks, on the other hand, were targeted at their organization. , Survey results show that most insiders targeted proprietary information, including intellectual property, customer and financial information. Indeed, unauthorized access to/use of corporate information, systems or networks was the most common insider e-crime (experienced by 27% of respondents who experienced e-crime). Theft of intellectual property was the second most common e-crime (24%), theft of other information (including financial and customer records) was #3 (23%) and fraud (credit card, etc.) was #4 (19%).

Also of note was a shift in the methods being used by insiders to commit e-crimes. The use of social engineering techniques (gaining access through manipulation of a person or persons who can permit or facilitate access to a system or data) jumped to become the #1 method (45% v. 38% last year) followed by individuals using compromised accounts (39%), copying information to mobile devices like USB drives or iPods (36%), and use of their own account (35%). The use of sophisticated technologies like password crackers or sniffers jumped from being used by insiders in 17% of the organizations last year to 31% this year.

The survey found no major changes in e-crimes being perpetrated by outsiders, although there were marked jumps in the illegal generation of SPAM email (53% vs. 40% last year) and phishing attacks (46% vs. 31% last year). The top five e-crimes perpetrated by outsiders were: virus, worms or other malicious code (experienced by 74% of respondents), unauthorized access to/ use of information, systems or networks (experienced by 55%), illegal generation of SPAM email (experienced by 53%), spyware (not including adware - experienced by 52%), denial of service attacks (experienced by 49%), and phishing (experienced by 46%).