March 29, 2001 3:05 PM PST
Hackers say corporate security still poor
- Related Stories
NakedWife virus hits U.S. military, companiesMarch 6, 2001
Anna virus rushes the NetFebruary 12, 2001
Attack knocks out Microsoft Web sitesJanuary 25, 2001
Lengthy Egghead investigation costs banks millionsJanuary 9, 2001
The conference--whose speakers include creators of major open-source security tools as well as security specialists--has brought together not theorists but the software mechanics who create and break network security for a living.
The evaluation of current Internet security seemed grim.
"Awareness is growing," said Lance Spitzner, founder of the Honeynet Project and a security engineer at Sun Microsystems. "But so much stuff is being placed on the network that we can't keep up with securing (it)."
Spitzner should know. Under the Honeynet Project, he and collaborators--some hackers, some security experts and many who are both--leave unprotected servers on the Internet, keeping a close watch until a network intruder breaks in. Such "honeypots" have revealed much about the techniques of online attackers as well as the general lack of security in most operating systems' default installation.
The poor security of such cookie-cutter systems is a major problem, said Spitzner.
With automated scanners and Internet-aware worms searching for vulnerable machines and increasing in number, the average computer placed on the Internet will be hacked in about 8 hours, he said.
"Bad guys are keeping ahead of us," he said. "There's data leaking out of networks everywhere."
Another network-security specialist, for an academic supercomputer center, said university networks are even worse, with an unsecured computer lasting only about 45 minutes before some student or Internet intruder takes control of the system.
Too much information
That's despite the proliferation of firewalls, even on personal computers, and increasing corporate use of so-called intrusion detection systems--the burglar alarms of the Internet.
"The tools and the technology are making progress," said "Rain Forest Puppy," or RFP, a hacker and security consultant well known for finding security flaws in Microsoft's software and for publishing responsible guidelines for making such information public. "The technology is getting easier to use, but there will be more people to secure, only a fraction of which we can handle."
Attempts at educating
Meta Group says security problems do exist, but security companies, which are
in the business of selling security software, tend to exaggerate the problem.
"I'm pessimistic," he said. "Users are starting to get more educated, but you can't make them learn." In particular, management generally pushes security onto the back burner, said Roesch.
The Computer Security Institute's 2001 Computer Crime and Security Survey found that cybercrime tallied up $378 million in losses among 186 companies that were able to quantify their damages in 2001. The damage figures take into account losses in the previous year. That average of $2 million per company doubled the average shortfall of the 249 businesses that responded in 2000.
And those losses are only expected to mount. "It's not even a head-to-head race," said hacker RFP. "Security is still losing ground."