Cyber Attacks Bleed U.S. Companies

Malicious attacks on corporate computer systems are growing increasingly sophisticated, resulting in reported financial losses to U.S. companies of nearly half a billion dollars, according to experts at Carnegie Mellon University and the Computer Security Institute.

In a report released in April, the CERT Coordination Center said the speed of attack tools is increasing and that they are more difficult to detect via antivirus software and intrusion detection systems.

Based in Pittsburgh, CERT is a center of Internet security expertise at the Software Engineering Institute, operated by Carnegie Mellon. The Center studies Internet security vulnerabilities and publishes security alerts.

The Computer Security Institute, based in San Francisco, said in its seventh annual Computer Crime and Security Survey that “the threat from computer crime and other information security breaches continues unabated and the financial toll is mounting.” CSI is an association of information security professionals.

The survey, conducted by CSI with the participation of the San Francisco Federal Bureau of Investigations Computer Intrusion Squad, polled 503 computer security professionals in U.S. corporations, government agencies, financial institutions, medical institutions and universities. CSI said 90 percent of respondentsprimarily large corporations and government agenciesreported experiencing computer security breaches in the last 12 months, while 80 percent acknowledged financial losses due to breaches.

The 44 percent of respondents (223) who were willing and/or able to quantify financial losses reported a total of $455,848,000 lost, said CSI. The most serious losses occurred from theft of proprietary information (26 respondents reported a total of $170,827,000) and financial fraud (25 respondents reported a total of $115,753,000).

While conventional wisdom holds that attacks occur more often from within an organization than from outside, the survey showed the opposite. For the fifth year in a row, more respondents (74 percent) cited their Internet connection as a frequent point of attack than cited their internal systems as the point of attack (33 percent), said CSI.

“Its not that inside attacks are diminishing,” explained Patrice Rapalus, director of CSI, “but outside attacks are growing.” Sometimes it may be difficult to tell if an attack is coming from inside a company or outside if, for example, an employee working at home launches an attack. “If the attack comes from a contractor working for you, was that from inside or outside?” she added.

The survey also found that 40 percent of respondents had detected system penetration from outside and 40 percent detected denial-of-service attacks. In addition, 85 percent said they had detected computer viruses.

Meanwhile, 70 percent of those attacked reported some vandalism to their Web sites, as compared with 64 percent in 2000. Ms. Rapalus attributed that increase to the continuing growth of connectivity.

“Everyone has computers,” she noted. “You still have your stereotypical teenagers defacing Web sites, but more connectivity leads to more of these kinds of things.”

CSI said 12 percent of respondents reported theft of transaction information, a figure that Ms. Rapalus said is “related to all of the e-commerce thats going on.” She noted that organizations with credit card databases are often attacked and the stolen information can then be used to make purchases.

The CERT report, meanwhile, said that more advanced scanning tools are being used by attackers in looking for potential victims, maximizing the impact and speed of the attacks. Some tools “exploit vulnerabilities as part of the scanning activity, which increases the speed of propagation,” the report noted.

In addition, todays attack tools can self-initiate new attacks without human intervention. “We have seen tools like Code Red and Nimda self-propagate to a point of global saturation in less than 18 hours,” said CERT.

New attack tools may avoid detection using techniques that hide their nature, the report said. “Todays automated attack tools can vary their patterns and behaviors based on random selection, predefined decision paths, or through direct intruder management,” wrote CERT. In addition, such tools can be quickly upgraded. “This causes rapidly evolving attacks and, at the extreme, polymorphic tools that self-evolve to be different in each instance.”

CERT also reported that the number of newly discovered systems vulnerabilities reported to it “continues to more than double each year. It is difficult for administrators to keep up with patches.”

On a still more ominous note, the report said that technologies are currently being designed to bypass the firewalls that are the primary line of defense against intrusion for most companies.

“There is much more illegal and unauthorized activity going on in cyberspace than corporations admit to their clients, stockholders and business partners, or report to law enforcement,” stated Ms. Rapalus. “Incidents are widespread, costly and commonplace.”

She added that insurers who seek to extend coverage to companies for cyber crime have a difficult task. “Its hard to get a handle on [cyber crime],” and most organizations are not disclosing information about attacks that occur on their systems.

“The trends seen by CERT/CC indicate that organizations relying on the Internet face significant challenges to ensure that their networks operate safely and that their systems continue to provide critical services even in the face of attack,” the CERT report concluded.

Reproduced from National Underwriter Property & Casualty/Risk & Benefits Management Edition, July 15, 2002. Copyright 2002 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.

Special Reports /

Cyber Attacks Bleed U.S. Companies

Related Stories

Recommended For You