Technology: Building in Security?
Fact: Bill gates revealed that security is the single largest expense in Microsoft’s $6B annual R&D budget. Over 90% of desktops run Microsoft’s operating systems. New worms exploit widely-known vulnerabilities that allow the worm to proliferate, infect and potentially damage systems without user intervention or knowledge. A CSO Magazine on-line survey of 500 executives in cooperation with US Secret Service and Carnegie Mellon Software Engineering Institute reported that 43% saw a rise in electronic crimes in the past year, about 70% had at least one e-crime or intrusion and 56% operational losses as a result. Yet 32% had no formal plan for tracking e-crime losses, and 41% had no plan for reporting incidents. 71% of attacks came from outside sources, and only 29% from insiders. Over 77% fell prey to viruses and other malicious attacks. 36% reported terminating employees for misbehavior detected in employer monitoring. Among damaging security events, respondents cited DOS attacks, illegal spam, unauthorized insider access and phishing.
Analysis: Since information systems are likely to remain very vulnerable indefinitely (including the 90%+ running Microsoft), a combination of vendor fixes, user security applications and strong vigilance will be needed to protect the enterprise – which should still expect attacks and e-crime losses, despite their best efforts. The Sarbanes-Oxley Act and related corporate controls in recent statutes demand stronger data protection.
Comment: The peak of the vulnerability increase curve may have been reached, as Carnegie Mellon’s CERT reported a downward trend in new vulnerabilities reported for the first time in seven years, in the last quarter of 2003. As Microsoft and other systems increase built-in security and user defenses rise, e-crime prevention may make a dent in the geometric rise of computer crime experienced over the past seven years. Still, it can take a couple hours to download security updates for your new laptop.
See:
