In March 2000, the Computer Security Institute (CSI) announced results of its fifth annual Computer Crime and Security Survey. The survey is conducted by CSI with the participation of the San Francisco Federal Bureau of Investigation (FBI) Computer Intrusion Squad.
Respondents included 643 computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions and universities.
Highlights of the 2000 CSI/FBI Computer Crime and Security include the following:
- There is no such thing as a completely secure computer network. 90% of the respondents suffered breaches to their computer networks within the past year. The companies reporting these breaches were primarily large corporations and government agencies.
- There is an accident waiting to happen if you do not monitor e-business security. When asked, 32% of the respondents reported that they did not know if there had been unauthorized access or misuse of their computer network.
- Internal users are just as risky as outsiders. From the survey taken, 71% of the respondents reported unauthorized access by those within the organization.
- Network security breaches hurt the bottom line, as 74% of respondents reported financial losses stemming from breach of computer security. The report also indicates that 273 organizations that were able to quantify their losses reported a total loss of over $265 million. Reported theft of proprietary information resulted in losses totaling in over $66 million for 66 respondents. Losses from financial fraud totaled in over $55 million for 53 respondents.
Conducted in April and May of 1999, the joint ICSA/Global Integrity Industry Survey was completed by 745 respondents including Administrators, Managers and Executives in IT, Security, Networking and Data Management.
Highlights of the survey include the following:
- Corporate security breach is on the rise. The number of companies hit by an unauthorized access (hacking/cracking) breach increased nearly 92% from 1997 to 1998.
- e-Business activities make you a bigger target. Companies conducting business online are 57% more likely to experience a proprietary information leak and 24% more likely to experience a hacking-related breach.
- New internet exposures threaten your network. Hackers/crackers (21%), malicious code (17%), email (15%) and secure remote access (14%) are claimed to be the greatest source of concern. A reported 77% of respondents had suffered losses from virus attack.
- Companies are not ready for secure e-business as 52% of the respondents claimed their company’s state of information security is average or below. As well, 35% claimed that security doesn’t have high visibility.
- e-Business losses are more than financial. Of the respondents who admit suffering a security breach, there were significant interruptions to business operations and additional loss of reputation along with the financial loss.
Hackers have a variety of ways to unleash cyber attacks on individuals and businesses, and they use their nefarious toolbox each and every day to steal sensitive information. According to Symantec’s 2011 Cybercrime Report, the daily cost of hacking in the US is a whopping $382 million.
Phishing for Data
One common technique to trick employees into giving away sensitive information is called “phishing.” In a phishing attack, an official-looking email pretending to be from a bank or some other reputable company that your firm does business with is sent to one of your employees. The email usually gives a reason why the employee needs to click a link to log into the account with said company.
For example, a phishing email from a financial institution might tell the reader that contact information needs to be updated, and clicking the link in the email will take the user to the correct web page. The employee is fooled into believing the email, clicks the link, and is directed to a bogus web site that appears to be totally legitimate – the logos and style of the web site are nearly identical to the real thing. So, the user logs in, and immediately the bad guys have your firm’s username and password for the bank.
Other Email Scams
An article in Fast Company speculates that another kind of email attack is how a Pentagon contractor’s computer network might have been compromised last year, when it lost 24,000 files to hackers.
The potential scenario goes like this: A particular employee of the defense contractor was targeted, and the hackers did research to find out who this employee’s co-workers were. Then, the hackers send an email to the employee and make it appear that it is from a trusted co-worker. The email contains an attached file that the email says needs to be reviewed. So the employee is totally duped and opens the attachment. Doing so introduces malicious code into the network; at this point the possibilities are nearly endless for the criminals.
Bots and Spiders
Exploiting known security holes in programs and operating systems is another method hackers use to destroy your digital defenses. Computer scripts called “spiders” are always searching networks connected to the Internet for vulnerabilities. When the spider finds one, the hacker has access to your system.
Then, another computer program called a “bot” takes over. The bot exploits the weakness the spider found, by infecting your system with code that will pass back to the criminal all sorts of files and other information stored on the network.