Week of February 25, 2002
Snapshot from the Field
LOOKING FOR A PREVIOUS STORY? CHECK THE ARCHIVE.
Report: Cyber-Attacks Doubled in 2001
Does SNMP 'Vulnerability' Put Real EstateBy JACK LYNE, Site Selection Executive Editor of Interactive Publishing
PITTSBURGH -- As real estate becomes ever more embedded in cyberspace, news has broken of a new, and potentially highly damaging, security flaw - and one that's drawn only a lethargic response from many computer equipment makers.
CERT Official: 'Raising
The Pittsburgh-based Internet security center has been working to elevate the problem's profile, contacting many of the companies with allegedly vulnerable products, CERT officials said. Many firms, however, have thus far offered little or nothing by way of reply, they added.
"I'm somewhat disappointed in our ability to raise the attention of some of the companies," Shawn Hernan, a CERT security specialist, told The New York Times. "It was a very difficult problem in trying to raise the attention of the right people."
Some companies, however, have responded proactively. CERT has listed the firms that have answered its advisory at www.cert.org/advisories/CA-2002-03.html#vendors. That list contains links to useful information that includes corrective patches and security advisories and bulletins. The list, however, does not include firms from which CERT has "not received comments" in reply to its alerts.
CERT Report: Last Year's Cyber
The total number of reported security attacks nearly doubled last year - to 52,658 incidents from 2000's 21,756 incidents, CERT reported. (A reported "incident may involve one site, hundreds, or even thousands of sites," CERT noted).
And the frequency trend line for computer security attacks is steadily shifting upward, the report noted. In 1999, for example, the number of reported incidents was 10,000 - less than one-fifth of 2001's total.
The CERT report documented a similarly rising trend in reported security vulnerabilities in software. Last year, 2,437 software security vulnerabilities were reported, more than doubling the 1,090 vulnerabilities reported in 2000. In 1999, only 417 software vulnerabilities were reported - less than a fifth of 2001's tally.
CERT officials added, however, that those recent upswings might not reflect "pure" numerical increases. Viruses like Code Red and Nimda have created greater awareness of the dangers of Internet security breaches; as a result, more companies and individuals may be coming forward to report incidents, they explained.
Agency Head: Government Must Provide
Predicting cyber-attacks and providing warnings is one of the main areas in which NIPC needs improvement, Dick said in a frank speech to the recent CyberCrime 2002 conference in Mashantucket, Conn.
Another measure of the NIPC's effectiveness, Dick added, lies in providing information that the private sector can turn into action. And the agency created in February of 1998 has only recently begun to make concrete progress there, he allowed. "The NIPC has finally reached a level of capabilities that we are finally providing value-added products and information," Dick said.
Cyberspace security, however, must be a two-way public/private street, the NIPC director argued. "Infrastructure protection can only be accomplished with the government and private sectors working together," Dick told the CyberCrime conference.
One collaborative example is Infraguard (www.infragard.net), which Dick called "one of the largest government/private-sector joint partnerships for infrastructure protection in the world." Developed by the FBI, Infraguard includes more than 3,000 U.S. government and corporate officials, who meet to discuss cyber-security.
"We've done a pretty good job of being reactive to events," Dick concluded. But "strategic analysis" is Dick's No. 1 priority, he said. The NIPC, Dick explained, is now beginning a strategic analysis program focused on "prediction, prevention, detection and mitigation." One hoped-for outcome, he said: a "cyber weather forecast" providing a daily outlook for cyber-threats on the horizon.
©2002 Conway Data, Inc. All rights reserved. Data is from many sources and is not warranted to be accurate or current.