Phil Tucker" <tuckerp @
css583 .
gordon .
army .
mil> asked:
>A Corporation Security Study was conducted during July-Oct
>timeframe. This was aired on TV but did not indicate if a
>copy of the report was available. Does anyone know where a
>copy of this report might be retrieved?
You may be seeking the WarRoom Research study on corporate security
practices, which collected 205 anonymous reports from Fortune 1000 firms.
It was described in a 11/21 press conference at the National Press Club in
D.C., broadcast live on C-Span, where I was one of several on a panel from
industry and government invited to commented on the results. You can get
the survey report from WarRoom Research, LLC, 1134 Veranda Ct., Baltimore,
MD, 21226. Tel. (410) 437-1106 <warroom2 @
aol .
com>
All but sponsored by Sam Nunn's Senate subcommittee studying
Troubles in Cyberspace, the WarRoom survey got a snapshot of the state of
the art, which (as all here might expect) was troublesome in several
aspects. I'd quibble with some of the methodology -- I'm always
uncomfortable when everyone who handles the numbers has a vested interest
in high counts; and this survey was selectively distributed by vendors of
security products and services -- but the survey results drew a lot of
media attention.
Nearly half (98) of the 205 respondents reported that their
computers or networks had been successfully penetrated by "outsiders" in
the past year, and many reported surprisingly high costs (as opposed to
losses) associated with these attacks. (36, I recall, pegged costs at over
$1 million.)
I think the numbers are a little slippery (eg, respondents may have
tallied PC-virus outbreaks among generic "penetrations," and it wasn't
clear if the "costs" were cumulative, solid, or estimates,) but even as a
flawed snapshot it was thought-provoking. (The industrious WarRoom
researchers plan a broader, more scientific, study early next year; perhaps
in cooperation with a federal agency.)
I was disturbed that so many respondents, a large majority,
reported that their firms had no formal, written, security policies. I was
also intrigued that e-mail files seem to be the target of choice for online
intruders... and worried (but not surprised) to learn that some 30 percent
of the executives surveyed doubted that their IS staff would _know_ if
their computers had been illicitly penetrated. (Actually, I was surprised
so many executives were aware of this.) I was far less concerned than
others on the panel that police are so seldom notified of these incidents.
Suerte,
_Vin
(Fair warning: Washington's concern about cyberwar and
cyberterrorism -- and the barely-muted desire of the FBI and other lawmen
to establish _domestic_ GAK rights <government access to crypto keys> for
their investigations -- make it likely our craft will soon confront
additional, perhaps conflicting, regulatory and legislative pressures from
dot-gov. If you're associated with an ISS professional group, goose them
to stick an oar in! Reality checks might be critically important for
federal CompSec policy in '97. Newsat11! Beg pardon for the digression.)
Vin McLellan +The Privacy Guild+ <vin @
shore .
net>
53 Nichols St., Chelsea, Ma. 02150 USA Tel: (617) 884-5548
<*><*><*><*><*><*><*><*><*>
|
|
