A correction was made to this story. See below for details.
Despite investing in a variety of security technologies, enterprises continue to suffer network attacks at the hands of malware writers and inside operatives, according to an FBI report released today. Many security incidents continue to go unreported.
The 2005 FBI Computer Crime Survey was taken by 2,066 organizations in Iowa, Nebraska, New York, and Texas late last spring, which survey organizers deemed a good sample of enterprises nationwide. The report is designed to "gain an accurate understanding" of computer security incidents experienced "by the full spectrum of sizes and types of organizations within the United States," the FBI said. The 23-question survey addressed such issues as the computer security technologies enterprises use, what kinds of security incidents they've suffered and what actions they've taken.
The survey is not the same as the CSI/FBI Computer Crime and Security Survey, which has been conducted for several years and has a somewhat different focus, method and restricted number of respondents, the FBI said.
Among the findings:
- Security software and hardware failed to prevent more than 5,000 incidents among those surveyed. Eighty-seven percent of respondents said they experienced some type of incident.
- A common point of frustration among respondents came from the nonstop barrage of viruses, Trojans, worms and spyware.
- Use of antivirus, antispyware, firewalls and antispam software is almost universal among those who responded. But the software apparently did little to stop malicious insiders.
- Of the intrusion attempts coming from outside the organizations, the most common countries of origin included the United States, China, Nigeria, Germany, Russia and Romania.
- New York had the lowest percentage of organizations experiencing unauthorized access, but it had the highest percentage of those experiencing insider abuse, laptop theft, telecom fraud, viruses and Web site defacement. Austin was home to the organizations most likely (more than 91%) to have at least one type of computer security incident.
- Of those admitting they didn't alert the authorities after a security breach, about 700 respondents said there was no criminal activity, almost an identical number indicated the incident was too small to report and 329 (23%) thought law enforcement wouldn't be interested.
The report quotes a number of high-profile security experts, including Eugene Spafford, a computer science professor at Purdue University, advisor to presidents Bill Clinton and George W. Bush and director of the Center for Education and Research in Information Assurance and Security (CERIAS) and Frank Abagnale, a former conman whose crimes inspired the memoir and movie "Catch Me If You Can."
"I continue to be surprised, not at the variety of incidents, but at the magnitude of flaws in deployed systems and the subsequent attacks and losses, all of which are accepted as business as usual," Spafford said. "So long as we continue to apply patches and spot defenses to existing problems, the overall situation will continue to deteriorate. Without a significant increase in focus and funding for both long-term cybersecurity research and more effective law enforcement, we can only expect more incidents and greater losses year after year."
Security technology doesn't catch everything
Asked what kind of security technology they've invested in, 98% of respondents said antivirus software. Firewalls were close behind with more than 90% either using software or hardware firewalls.
Operating system safeguards -- limits on which users could install software, password complexity requirements and periodic password changes, for example -- were used by about half of respondents. Virtual private networks (VPNs) proved to be a popular means of achieving security for 46% of respondents. Advanced techniques like biometrics (4%) and smartcards (7%) were implemented more infrequently.
Having more security measures didn't exactly translate into fewer attacks. "In fact," the report said, "there was a significantly positive correlation between the number of security measures employed and the number of denial-of-service attacks. It is likely that organizations that are attractive targets of attacks are also most likely to both experience attack attempts and to employ more aggressive computer security measures. Also, organizations employing more technologies would likely be better able to be aware of computer security incidents aimed at their organizations."
Few can avoid attacks
In the end, the vast majority of respondents (87%) said they experienced some type of computer security incident. The average organization experienced several different types of incidents, including virus-borne attacks and port scans, the report said.
More than 79% said they'd been affected by spyware and almost 84% were affected by a virus attack at least once in the last 12 months, despite the almost universal use of antivirus software. Port scans were detected by 33% of respondents, though the report suggests a higher number of scans have gone undetected.
New York had the lowest percentage of organizations experiencing unauthorized access, but the highest percentage of experiencing insider abuse, laptop theft, telecom fraud, viruses, and Web site defacement. Austin, being the most high-tech area surveyed, was home to the organizations most likely (over 91%) to have at least one type of computer security incident.
Repeated attacks are common
Another disturbing trend spotlighted in the report is that organizations are suffering repeated security incidents. Just over half of the respondents indicated that they had experienced up to four incidents, for example.
Almost 20% indicated they experienced 20 or more incidents, and large organizations -- with gross income greater than one billion dollars -- were more than twice as likely to be in the 20 or more attacks category. More than 45% of respondents from larger organizations reported the higher number of attacks, compared to 19.2% of overall respondents. Forty percent of organizations in the education and state government sectors reported 20 or more incidents.
The insider threat persists
Respondents were asked if they had experienced attacks at the hands of insiders. Of those who answered the question, 44% said they had experienced intrusions from within their organization.
"These results demonstrate the need for employee background checks on IT staff, as well as people in the mail room, accounts payable and accounts receivable," Abagnale said.
While the insider threat is real for all organizations, the report said that overall, more than twice as many incidents came from outside the organization than from within, which "underlines the importance of intrusion prevention/detection systems as well as firewalls, logs, password complexity, and other technology and physical security measures."
Meanwhile, 25% of those experiencing unauthorized access believed they had been hit from both inside and outside their organization.
Countries of origin
Surprisingly, the report said, 53% of organizations that acknowledged outside intrusions also identified the country of origin. Thirty-six countries made the list, but seven appeared to be the source for 75% of attacks.
The United States and China seem to be the source of more than 50% of the intrusions, the report said. Organizations with revenue greater than $5 million were more than twice as likely to identify China as the source of the intrusion attempt.
The report acknowledged that pinpointing the countries of origin is a difficult, unscientific exercise at best. "It is difficult to identify statistically significant trends with a high degree of probability," the report said. "Evidence of an intrusion that indicates a particular country may not be conclusive since computer hackers often use proxies and Trojanized computers in other countries to mask their identity and make detection difficult."
An example of this type of stepping-stone attack would be a Romanian hacker that uses a proxy computer in China to access a compromised computer in the United States, the report said. This U.S.-based computer would then be used to perform the computer intrusion. Those investigating the incident may falsely conclude that the source was within the United States.
What companies did after a security incident
Respondents were asked what they did after learning of a security incident. The top two responses were to install security updates and install additional computer security software.
The next most common response of hardening corporate security policies may indicate that the incident originated from within the organization and that the corporate security policies in place at the time weren't "fully mature," the report said.
Only 2% of organizations chose to seek civil remedy through a lawyer.
Incidents that go unreported
Respondents who did not report security incidents to the authorities were asked why not. Just over 700 said there was no criminal activity and almost 700 indicated the incident was too small to report. Those who thought law enforcement was not interested in such incidents numbered a disturbing 329 (23%), the report said.
An equal number indicated they did not think that law enforcement could help.
"This may be due to the nature of the security incident or it may be the public's perception (or experience) that law enforcement was not equipped to investigate computer crime," the report said. "While some individual law enforcement officers are not trained to respond to computer security incidents, local, state, and federal law enforcement agencies have become increasingly equipped to both investigate and assist in the prosecution of such violations."
The report added, "Computer related crime is the third-highest priority in the FBI, above public corruption, civil rights, organized crime, white collar crime, major theft and violent crime."
While law enforcement commonly hears about organizations' concern over minimizing public knowledge of a computer intrusion and concern over the effect on stock price for a public company, only 3% of respondents said minimizing the potential negative public exposure was a reason for not reporting an incident to law enforcement.
Editor's note: When first published, this story incorrectly stated that the FBI Computer Crime Survey is an annual survey. It is in fact a one-time survey.