CSI/FBI Report: Losses Down, Vulnerabilities Up

Ex-FBI agent and ISS X-Force director discusses Computer Security Institute report

The Computer Security Institute released its eighth annual Computer Crime and Security Survey report, a collaboration with the San Francisco branch of the FBI. This year, 530 security practitioners from United States organizations responded. Among the surprising results: the cost and severity of attacks has actually gone down. Still, a whopping 50 percent of all attacks go unreported, and 22 percent of companies don’t know if their Web site suffered unauthorized access.

To discuss these findings, what the report didn’t ask, and more, Security Strategies sat down with Patrick Gray, a 20-year veteran of the FBI and the former FBI Cyber Crime Squad director. Now, he’s director of X-Force Emergency Response Services at Internet Security Systems Inc. (ISS) in Atlanta.

Q. What are some interesting findings with this year’s CSI/FBI report?

A. Reported financial losses are one-tenth of what they were last year—I find that astounding. It’s amazing that it’s down, and I don’t know why. Either the hackers aren’t as good as they were or people are shoring up security.

Q. Have the big threats changed?

A.Disgruntled employees and independent hackers are still hitting companies. Hackers are still running scripts and sending them across the Internet looking for known vulnerabilities.

Q. What else stands out in the report?

A. We continue to see an upswing in viruses, but … we’re also seeing vulnerabilities exceed the number of new viruses; this is a first. Systems administrators will have to worry about a lot more than they used to. Denial of service attacks are still very big—that’s always been a biggie—but we see more and more of them now.

Q. How accurate are the findings of the report, given the self-reported scores and sample size?

A.You have to take it with a grain of salt. It’s a good barometer, and again it’s only 500 companies in the U.S., and the Internet is global. I would like to see a report like this go a little farther than [our] Atlantic and Pacific borders. [But] I don’t think, since it’s done by a California firm and the FBI, that many foreign bodies would respond to such a request. I would like to get an international neighborhood security watch going, because until [then], we’re still going to be in trouble. Right now the countries that are hacking the most, the most prodigious people are the Chinese, number two is Brazil, and then the [South] Koreans.

Q. Was this year’s report the same approach as previous years?

A. Yes, the same approach, but there are some things that I truly wish they would ask that would give us a better barometer of what’s going on out there, and more specifically about how companies are addressing network security issues.

Q. What would some of those questions be?

A. One of the first issues … is how many have assessed their networks’ level of risk management and assigned rankings to all that? In other words, finding out which systems are mission critical, then do an assessment on those. Second, how many of the respondents have an up-to-date information security plan? Third, [do] they have an IT security plan, have they tested that plan, have they run a scenario against that plan? Those three things would give a great barometer.

I’m all about having security start inside, with policy, procedures, standards—and that goes from not only how you set up your own networks, both internally and externally, but it encompasses bringing in the workforce as well, and having them educated to what security is all about. If you don’t get buy in from the workforce, you’re going to have trouble ahead.

Q. Do companies, in general, even have a security plan today?

A.I’m the director of our penetration testing services, and I can’t tell you how many companies we go to, to try and find out how they were hacked, and remediate, and we find that they do not have plans for that.

Q. Given recent world events, might overall awareness of security and disaster plans be higher?

A. Not might be, should be—and they’re not. And I’m amazed; one of the things my team does is create these policies for companies, they’ve been hammered and we come in and help. But you would think, based on 9/11 and seeing what happened to Cantor Fitzgerald, that people would have gotten a clue, but … things are changing all the time and unfortunately, systems administrators at most companies are busier than heck.

Q. What counts as an up-to-date security plan?

A. Being up-to-date means that if there are personnel or technology resources that have changed since the plan was drawn up, the plan needs to change, reflecting those changes.

Q. So many companies haven’t thought out who does what in any type of emergency?

A. I run our emergency response team. What we find more often than not is, because companies do not have a plan upon learning of a hack or intrusion or internal problem, they tend to see if they can figure out what went on first, and … they generally screw it up. It’s a crime scene and they’ve trampled all over it, and it’s very difficult to get evidence from a crime scene that’s been trampled all over. So part of that plan is to identify what should happen to your system after you’ve had an intrusion. Know what to do and who[m] to call.

Q. How about this finding: 22 percent of companies don’t know if their Web site has suffered unauthorized access?

A. Yikes. You don’t know what you don’t know. That’s just people being inattentive and not understanding reality. If you can’t say whether or not you’ve been hacked, you’re not doing best practices, or logging and reviewing the logs, or having an intrusion detection system (IDS) in place that would alert you when there’s a problem. A lot of companies do have IDS but I’m not sure what they’re using it for, the survey says a whole bunch are using it but they shouldn’t be hacked if they’ve got IDS and they’re paying attention to it.

Q. How accurate are the percentage figures?

A.You can’t use percentages in this survey, because they’re reporting on the percentage of people who reported.

Q. What about the report’s question about hiring “reformed hackers” to do penetration testing?

A. I couldn’t disagree more with that notion, because there are a lot more good people out there who are knowledgeable than there are reformed hackers. I run a pen-testing group here that is a whole stable of engineers that are not hackers, these are people who get into systems at the bequest of a company. These are very smart people. They’re not ethically challenged, if you will. We have about a 98 percent rate of getting into a network that we’ve been engaged to get in.

Q. In light of today’s many known vulnerabilities, could most companies stand to guard against those before turning to penetration testing?

A. We use our products, Internet Scanner, Database Scanner, to find out where they’re weak to begin with. Anyone can use those. They need to continually scan or have their networks scanned looking for those vulnerabilities, and not only find the vulnerabilities but remediate them. I can’t tell you how many times we go out there and scan and find known vulnerabilities. Everyday that vulnerability remains out there is a day you remain vulnerable to the hacking community. It’s a rough environment.

Editor's Note: You'll find more about the report at http://www.gocsi.com/forms/fbi/pdf.html

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.