Over-Confidence is Pervasive amongst Security Professionals ; 2007 E-Crime Watch Survey shows security incidents, electronic crimes and their impact steady versus last year

FRAMINGHAM, MA. – September 11, 2007 – CSO magazine today releases results of the 2007 E-Crime Watch Survey. This year’s study revealed that while security events and electronic crimes were steady against last year’s findings, there are real concerns that security executives may be becoming over confident.

Conducted with the U.S. Secret Service, Carnegie Mellon University Software Engineering Institute’s CERT® Program and Microsoft Corp., the fourth annual survey polled 671 security executives and law enforcement officials on a variety of security topics, including commitment to security, the source of e-crimes, the top e-crimes professionals are experiencing, methods of attack, security technologies being deployed to defend against attacks, and the legal steps organizations are taking after they’ve been attacked.

“There is little doubt that organizations have learned a tremendous amount about security in the last five years and are making serious headway in understanding and combating threat,” said Bob Bragdon, publisher of CSO Magazine. “At the same time, we saw signs in this study that organizations think they have things handled, which is concerning given the recent rise in targeted, financially motivated attacks.”

A key indication of the study was that while 57% of participants said they are increasingly concerned about the potential effects of e-crime, and 49% of them reported experiencing an e-crime in 2006 vs. 38% the prior year, other responses suggested they are not prioritizing security as much as they have in previous years. For example, 69% of respondents said they are more prepared to deal with those threats than they have been in the past, yet these same organizations said they’ve trimmed spending on IT security by 5% and corporate security by 15%.

“You should never let down your guard when it comes to cybersecurity,” said Jeff Jones, director of Trustworthy Computing for Microsoft. “Crime is a fact of life in the digital world just as it is in the physical world; even with the best security posture, you must still steadily guard against potential threat.”

The Source of Crimes: Insiders, Outsiders and the Unknown

Part of guarding against threat is understanding its source, and so the survey posed several questions to compare cybercrimes by insiders and outsiders.

When asked who caused more damage (in terms of cost or operations), results were fairly close (insiders 34%, outsiders 37%, unknown 29%). But by their actions, participants indicated they may not be giving as much attention to insider threats as would seem justified. For example, background checks dropped from use in 73% of the organizations last year to only 57% this year, account/ password management policies dropped from 91% of the organizations last year to 84% this year, employee monitoring from 59% to 42%, and employee security awareness training from 68% last year to 38% this year.

“It is important that organizations are proactive in their approach to mitigating insider threats,” says Dawn Cappelli, Senior Member of the Technical Staff at CERT. “Defense-in-depth isn’t just about putting adequate technology in place, it’s also about paying attention to your people and implementing policies and procedures to reduce the likelihood of an insider attack. Our research has shown that those very policies and practices that respondents are cutting back on are critical in mitigating insider threats”

The potential for damage from an insider attack is clear. Three of the top four e-crimes experienced this year were widespread attacks not targeted at an individual organization; insider attacks, on the other hand, were targeted at their organization. , Survey results show that most insiders targeted proprietary information, including intellectual property, customer and financial information. Indeed, unauthorized access to/use of corporate information, systems or networks was the most common insider e-crime (experienced by 27% of respondents who experienced e-crime). Theft of intellectual property was the second most common e-crime (24%), theft of other information (including financial and customer records) was #3 (23%) and fraud (credit card, etc.) was #4 (19%).

Also of note was a shift in the methods being used by insiders to commit e-crimes. The use of social engineering techniques (gaining access through manipulation of a person or persons who can permit or facilitate access to a system or data) jumped to become the #1 method (45% v. 38% last year) followed by individuals using compromised accounts (39%), copying information to mobile devices like USB drives or iPods (36%), and use of their own account (35%). The use of sophisticated technologies like password crackers or sniffers jumped from being used by insiders in 17% of the organizations last year to 31% this year.

The survey found no major changes in e-crimes being perpetrated by outsiders, although there were marked jumps in the illegal generation of SPAM email (53% vs. 40% last year) and phishing attacks (46% vs. 31% last year). The top five e-crimes perpetrated by outsiders were: virus, worms or other malicious code (experienced by 74% of respondents), unauthorized access to/ use of information, systems or networks (experienced by 55%), illegal generation of SPAM email (experienced by 53%), spyware (not including adware – experienced by 52%), denial of service attacks (experienced by 49%), and phishing (experienced by 46%).

Electronic Crime Trends:

Of some concern is that most e-crimes, whether perpetrated by an insider or an outsider, are handled internally without involving legal action or law enforcement (67% for insiders, 66% for outsiders.) Given the growth in the number of crimes involving the theft of personally identifiable information, and the breach notification laws that have been passed, it is concerning to see that organizations continue to handle so many cases within their own walls. When asked why they had not referred these e-crimes for legal action, respondents echoed last year’s findings that either the damage level was insufficient to warrant prosecution (40%), there was a lack of evidence (34%), or that they could not identify the individuals responsible (28%).

Best Practices in Preventing Electronic Crimes:

The survey found that the most effective technologies were: Statefull firewalls (maintaining its position as #1 at 82%), access controls (new to this year’s survey at 79%), electronic access controls (78%), application layer firewalls (72%), and host-based anti-virus (70%). The least effective technologies were: manual patch management, surveillance, password complexity, badging, and RBL-based SPAM filtering.

These results show high levels of confidence in traditional perimeter technologies. But these all have limited effectiveness – enterprise perimeters are no longer clearly defined and the respondents’ reliance upon traditional perimeter technologies may leave them exposed to attacks that bypass the perimeter.

On the other hand, the survey found that organizations are relying upon processes and policies to secure against insider threats. Inappropriate use policies and segregation of duties, tools that have always been available to management, are finding increased acceptance as effective means to ensure compliance and supplement technological means of securing information assets.

Complete results available at http://www.CSOonline.com .

About the 2007 E-Crime Watch Survey

The 2007 eCrime Watch survey was conducted by CSO magazine in cooperation with the U.S. Secret Service, Carnegie Mellon University Software Engineering Institute’s CERT® Program and Microsoft Corp. The survey was deployed July 26, 2007, through August 13, 2007. An email invitation containing a link to the survey was sent to 15,000 CSO magazine readers and members of the US Secret Service’s Electronic Crime Task Forces, yielding 671 respondents. Margin of error is +/- 3.79 percent. Respondent answers cover the period between July 2006 and June 2007.

NOTE TO EDITORS: Complete results available at http://www.CSOonline.com . Any references to the data from the 2007 E-Crime Watch survey must be sourced as originating from the following: CSO magazine, U.S. Secret Service, CERT® Program, Microsoft Corp.

1. Security Event: An adverse event that threatens some aspect of

computer security.

Note: For the purposes of this survey, Security Events do NOT

include: receipt of spam; phishing emails sent to employees;

virus-carrying emails or routine network and port scanning

activity that are blocked by standard perimeter defenses;

discovery of vulnerabilities in packaged software.

Events DO include (but are not limited to):

– Actual virus infections (a single outbreak affecting multiple

machines is one "Event") or worms or denial-of-service attacks

that affect system performance/availability.

– Anomalous Internet/network activity that appears targeted

specifically at your organization, including successful or

unsuccessful targeted hacks/exploits.

– Loss or theft of backup tapes, laptops with sensitive data,

mobile devices with sensitive data or other inadvertent

exposure of data.

2. Electronic Crime (eCrime): A crime (an illegal act) that is

carried out using a computer or electronic media. Intrusion:

An incident in which an organization's computing systems are

compromised by an unauthorized individual or individuals.

3. Insider: Current or former: employee, service provider or

contractor. Outsider: Someone who has never had authorized