Cyber Attacks Bleed U.S. Companies

Malicious attacks on corporate computer systems are growingincreasingly sophisticated, resulting in reported financial lossesto U.S. companies of nearly half a billion dollars, according toexperts at Carnegie Mellon University and the Computer SecurityInstitute.

In a report released in April, the CERT Coordination Center saidthe speed of attack tools is increasing and that they are moredifficult to detect via antivirus software and intrusion detectionsystems.

Based in Pittsburgh, CERT is a center of Internet securityexpertise at the Software Engineering Institute, operated byCarnegie Mellon. The Center studies Internet securityvulnerabilities and publishes security alerts.

The Computer Security Institute, based in San Francisco, said inits seventh annual Computer Crime and Security Survey that “thethreat from computer crime and other information security breachescontinues unabated and the financial toll is mounting.” CSI is anassociation of information security professionals.

The survey, conducted by CSI with the participation of the SanFrancisco Federal Bureau of Investigations Computer IntrusionSquad, polled 503 computer security professionals in U.S.corporations, government agencies, financial institutions, medicalinstitutions and universities. CSI said 90 percent ofrespondentsprimarily large corporations and governmentagenciesreported experiencing computer security breaches in thelast 12 months, while 80 percent acknowledged financial losses dueto breaches.

The 44 percent of respondents (223) who were willing and/or ableto quantify financial losses reported a total of $455,848,000 lost,said CSI. The most serious losses occurred from theft ofproprietary information (26 respondents reported a total of$170,827,000) and financial fraud (25 respondents reported a totalof $115,753,000).

While conventional wisdom holds that attacks occur more oftenfrom within an organization than from outside, the survey showedthe opposite. For the fifth year in a row, more respondents (74percent) cited their Internet connection as a frequent point ofattack than cited their internal systems as the point of attack (33percent), said CSI.

“Its not that inside attacks are diminishing,” explained PatriceRapalus, director of CSI, “but outside attacks are growing.”Sometimes it may be difficult to tell if an attack is coming frominside a company or outside if, for example, an employee working athome launches an attack. “If the attack comes from a contractorworking for you, was that from inside or outside?” she added.

The survey also found that 40 percent of respondents haddetected system penetration from outside and 40 percent detecteddenial-of-service attacks. In addition, 85 percent said they haddetected computer viruses.

Meanwhile, 70 percent of those attacked reported some vandalismto their Web sites, as compared with 64 percent in 2000. Ms.Rapalus attributed that increase to the continuing growth ofconnectivity.

“Everyone has computers,” she noted. “You still have yourstereotypical teenagers defacing Web sites, but more connectivityleads to more of these kinds of things.”

CSI said 12 percent of respondents reported theft of transactioninformation, a figure that Ms. Rapalus said is “related to all ofthe e-commerce thats going on.” She noted that organizations withcredit card databases are often attacked and the stolen informationcan then be used to make purchases.

The CERT report, meanwhile, said that more advanced scanningtools are being used by attackers in looking for potential victims,maximizing the impact and speed of the attacks. Some tools “exploitvulnerabilities as part of the scanning activity, which increasesthe speed of propagation,” the report noted.

In addition, todays attack tools can self-initiate new attackswithout human intervention. “We have seen tools like Code Red andNimda self-propagate to a point of global saturation in less than18 hours,” said CERT.

New attack tools may avoid detection using techniques that hidetheir nature, the report said. “Todays automated attack tools canvary their patterns and behaviors based on random selection,predefined decision paths, or through direct intruder management,”wrote CERT. In addition, such tools can be quickly upgraded. “Thiscauses rapidly evolving attacks and, at the extreme, polymorphictools that self-evolve to be different in each instance.”

CERT also reported that the number of newly discovered systemsvulnerabilities reported to it “continues to more than double eachyear. It is difficult for administrators to keep up withpatches.”

On a still more ominous note, the report said that technologiesare currently being designed to bypass the firewalls that are theprimary line of defense against intrusion for most companies.

“There is much more illegal and unauthorized activity going onin cyberspace than corporations admit to their clients,stockholders and business partners, or report to law enforcement,”stated Ms. Rapalus. “Incidents are widespread, costly andcommonplace.”

She added that insurers who seek to extend coverage to companiesfor cyber crime have a difficult task. “Its hard to get a handle on[cyber crime],” and most organizations are not disclosinginformation about attacks that occur on their systems.

“The trends seen by CERT/CC indicate that organizations relyingon the Internet face significant challenges to ensure that theirnetworks operate safely and that their systems continue to providecritical services even in the face of attack,” the CERT reportconcluded.

Reproduced from National Underwriter Property &Casualty/Risk & Benefits Management Edition, July 15, 2002.Copyright 2002 by The National Underwriter Company in the serialpublication. All rights reserved.Copyright in this article as anindependent work may be held by the author.