RSA(R) CONFERENCE, SAN FRANCISCO, Feb. 25 /PRNewswire-FirstCall/ --
Organizers of the RSA(R) Conference 2004, the world's leading information
security event, released the results of the 2nd annual Internet Insecurity
Index during opening ceremonies at San Francisco's Moscone Center on Tuesday,
February 24, 2004. The RSA Conference Internet Insecurity Index is a
compilation of key information security developments over the past year as
reported by various news sources and agencies. While not a precise scientific
gauge, it provides some measure of direction to help conference attendees and
security industry professionals answer the question: Is information security
improving? The higher the overall score in a given category, the higher the
level of insecurity. The RSA Conference takes place February 23-27, 2004.
The RSA Conference Internet Insecurity Index is broken down into six
general areas: Hacks, Attacks and Flaws; Threats; Internet, Crime and Fraud;
Internet Users and ISPs; Information Security Industry; and Government. When
evaluating events and issues within each category, a higher score equates to a
higher level of insecurity. In 2003, the overall rating was a "6". The index
results for this year are detailed below, with some of the relevant findings:
Hacks, Attacks & Flaws:
The number of incidents reported to the CERT coordination center increased
40 percent in 2003.
In August 2003, enterprises saw a rapid fire of virus attacks - "Blaster"
and "So Big" viruses came with a $3.5 billion price tag, and are estimated to
be responsible for more than 2 million infections.
Fifteen states enacted new spam legislation in 2003, resulting in a total
of 38 states that now have some form of legislation on the books. The U.S.
Congress also enacted the CAN-SPAM Act of 2003, providing for labeling
requirements and opt-out instructions for unsolicited emails. The legislative
activity has not yet provided users with an appreciable difference in spam
messages.
RATING: 8 (same as last year)
Threats:
Technology and government expansion of its online surveillance authority
is making it easier to track and store data about people's web habits. While
some view efforts to authenticate users as counterintuitive to the anonymity
which was the touchstone that built the web; others view it as a way to
legitimize the web as a social and commerce tool.
A recent survey sponsored by Business Software Alliance and the
Information Security Systems Association found that 65% of information
security professionals believe that their organizations are at risk of a major
cyber attack in the next 12 months.
Exploits are following an accelerated growth path. Three years ago, the
time delay between discovery of a vulnerability and exploit was 500 days. Now
it's fewer than 40. (e.g., vulnerability exploited by the Blaster worm was
discovered in less than 30-days before the worm appeared).
RATING: 8 (same as last year)
Internet Crime & Fraud:
Identity theft tops last year's Index as being the fastest growing
Internet crime related segment. It's back this year as the most common
complaint received by the Federal Trade Commission. Internet-related fraud now
accounts for 55% of the more than 500,000 complaints filed with the agency, up
from 45% in the prior year.
Hackers are successfully planting Trojan horse viruses in seemingly
harmless email attachments. The Trojan horse allows the hacker to take over
the victim's computer and plant viruses, pornography or other illegal
materials.
RATING: 8 (up from 7 last year)
Internet Users and ISPs:
In the Internet users and ISPs portion of the index, poor patch management
is a common theme, with many individuals and businesses failing to ensure that
their computers have the latest patches from software companies - as was the
case with the Blaster worm outbreaks - but also failing to take basic steps
that would prevent dangerous data traffic from crossing their networks.
Information security providers, Internet service providers and network
administrators share blame here - and the industry recognizes that patches
need to be easier to install and distribute.
There is an inverse relationship between organizations strengthening
security and a user's desire for convenient access. The more corporations try
to improve security, the more inconvenient the access becomes for users, and
the more users unwittingly weaken the security system. (e.g., writing cryptic
passwords on post-its and attaching them to computer screens; or losing
passwords and then flooding the help desk with password reset calls). Strong
security needs to become single and seamless for users.
RATING: 6 (same as last year)
Information Security Industry:
Frustration can sum up how most users feel about Internet security in
2003. Advocacy groups are proposing everything from legislation that would
allow customers to sue companies over security loopholes in products to new
tracking systems that would make it impossible to use the web anonymously. The
web is a truly international medium, limiting the enforcement ability of any
regulations.
Organizations are looking for relief from administrative burdens and
overhead associated with maintaining multiple identities on disparate systems,
and are looking to identity management systems to resolve these issues, and to
help make them compliant with new laws and regulations such as the Sarbanes-
Oxley Act and the Health Insurance Portability and Accountability Act
("HIPAA").
In November, Microsoft announced the creation of the Anti-Virus Reward
Program, initially funded with $5 million, to help law enforcement agencies
identify and bring to justice those who illegally release damaging worms,
viruses and other types of malicious code on the Internet. Microsoft has
offered $250,000 rewards for culprits of the "Blaster," "So Big" and "My Doom"
viruses.
RATING: 6 (up from 4 last year)
Government:
Critics snubbed the United States' cyber-security policy (the National
Strategy to Secure Cyberspace) as largely voluntary and lacking regulatory
prescriptions. A coalition of government and private corporations says it is
close to unveiling a framework and tools that will help bolster the nation's
vulnerable networks. The first product of their work will be released in
March of this year.
Ridge "a few lines of code:" In a speech to the IT industry, Tom Ridge
emphasized that everything form electricity grids to banking transactions and
telecommunication depends on security, reliable cyber-networks, and terrorist
groups "know, as do we, that a few lines of code could ultimately wreak as
much havoc as a handful of bombs."
In the annual report card of agencies' cyber-security programs, the
Federal government "improved" its overall rating from an "F" to a "D" grade.
Somewhat surprising was the "F" rating for the new Department of Homeland
Security ("DHS"), whose mission includes promoting cyber-security nationwide.
That score, the first for DHS, may be influenced by the agency's nascence and
ongoing organization, having only opened its doors in March 2003.
RATING: 6 (was 4 last year)
The overall rating for the RSA Conference Internet Insecurity Index for
2004 was a "7", indicating the landscape for information security has worsened
slightly from 2003.
"Information security has become one of the most critical issues for
industry, academic and government officials over the past year," said Sandra
Toms LaPedis, area vice president and general manager of the RSA Conferences.
"The ratings identified in each category for the Internet Insecurity Index
underscores the importance of events such as the RSA Conference, and the need
for organizations to continue to focus on improving standards and technologies
for the security industry."
Sponsors, Registration and Attendance
Attendees can participate in more than 200 class sessions on solutions and
best practices. They will also gain access to the largest information security
exposition, including more than 250 vendors covering approximately 140,000
square feet. Sponsors of the 2004 RSA Conference include, Platinum Sponsors:
Computer Associates, Hewlett-Packard, Microsoft, RSA Security, Sun
Microsystems, Symantec, TippingPoint and VeriSign; and Gold Sponsors: Shavlik
Technologies and Verdasys.
Full Conference fees include access to all four days of general sessions
and class tracks, exhibits, evening receptions and giveaways. Qualified
members of the media receive complimentary admission with advance
registration. Registration and additional information are available on-site at
Moscone North.
About the RSA Conference
Now in its 13th year, the RSA Conference brings together decision-makers
and influencers from all major markets, including consumer, education,
financial, government, computer networking, telecommunications, Wall Street
and the media for one of the industry's premier e-security and cryptography
events. Later in the year, RSA Conference 2004 continues in Japan and in
Europe. For more information, visit http://www.rsaconference.com.
RSA is a registered trademark or trademark of RSA Security Inc. in the
United States and/or other countries. All other products and services
mentioned are trademarks of their respective companies.
Media Contact: Sponsor & Exhibit Contact:
Tamara Burnett Wendy Anderson
McGrath Power Nth Degree
408.727.0351 978.579.2042
tamarab@mcgrathpower.com wanderson@nthdegree.com
SOURCE RSA Conference
 back to top
Related links:
http://www.rsasecurity.com
http://www.rsaconference.com
CONTACT:
Media Contact: Tamara Burnett of McGrath
Power, +1-408-727-0351, tamarab@mcgrathpower.com; or Sponsor &
Exhibit Contact: Wendy Anderson, +1- 978-579-2042,
wanderson@nthdegree.com
|
