[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] Debatte über Schadensabschätzungen bei Viren etc. kommt in Gang
Langsam scheint (zumindest in den USA) eine Diskussion über die
Validität von Statistiken über Anzahl, Gafährlichkeit und Schadenssummen
von IT-Unsicherheiten in Gang zu kommen. Eine sehr begrüßenswerte
Entwickung. Bemerkenswert finde ich die selbstkritischen Worte von
Richard Power vom Computer Security Insitute - deren Survey wird
immerhin für das FBI erstellt.
By Robert Lemos
Staff Writer, CNET News.com
January 21, 2002, 4:00 AM PT
Are we winning the battle against computer viruses and security
threats, or getting swamped by an epidemic?
Although corporations and individuals are taking more measures to
inoculate against computer viruses and online vandals, security
experts disagree over whether they're stemming the tide or simply
keeping heads above water in the face of a growing number of hackers
and ever more virulent code.
Assessing the situation is tough, say experts, because of the lack of
conclusive data about viruses and their effects.
"We need more data, better data and different kinds of data," said
Richard Power, editorial director for the Computer Security Institute,
which produces a yearly survey that contains some of the most often
cited--and occasionally maligned--data on security incidents.
"Having the right data would help debunk a lot of the crap out there:
predictions of an electronic Pearl Harbor and the waves of hype that
follow virus attacks like I Love You," Power said, adding that CSI's
poll can't be considered scientifically accurate.
Everyone agrees more needs to be done. Microsoft Chairman Bill Gates
told his employees on Tuesday that security, not product features,
will be the company's primary concern.
To some degree, the question of whether Internet security is improving
is a matter of perspective.
Market researcher Computer Economics estimated that the impact from
such digital threats as viruses, worms and Trojan horses dropped to
$13.2 billion in 2001 from $17.1 billion the previous year. The I Love
You virus caused the largest amount of pain--an estimated $8.75
billion--according to the company's 2000 estimates.
Such numbers support some virus researchers' conclusion that a
combination of security measures--the digital equivalent of a drug
cocktail--has helped make the Net more secure.
"Corporations have gotten better at handling viruses," said Vincent
Gullotto, director of computer software maker Network Associates'
antivirus emergency response team. "They have an infection here and
there, but (the viruses) are not penetrating." Gullotto also said
security has been helped by a faster response to crisis situations on
the part of antivirus-software makers.
Yet, a second opinion--and data to support it--is only a click away.
E-mail service provider MessageLabs saw the occurrence of hostile
e-mail attachments, such as worms and viruses, triple during the last
year. The U.K.-based company analyzes e-mail in real time on behalf of
its customers, filtering out potential viruses, junk mail and
In the early months of 2001, only one out of every 1,053 e-mails
traveling through the company's gateways had a malicious attachment. A
year later, the frequency had jumped to one out of every 325 e-mails.
"Our data is telling us that this problem is worse, not better," said
John Harrington, director of marketing for the company's U.S.
A third set of data lends support to that position. The Computer
Emergency Response Team (CERT) Coordination Center at Carnegie Mellon
University--a clearinghouse for information on Internet threats--saw
reports of security incidents climb to more than 56,000 in 2001, a
jump of 160 percent from the previous year.
Yet the group doesn't explicitly track viruses and doesn't categorize
the number of threats.
Who knows, answered Roger Thompson, technical director of
malicious-code research for security-services company TruSecure.
Thompson bemoans the lack of good scientific data.
While Thompson has a hunch things are getting better, he said the need
for data "is great. I just don't know if we are going to get much more
than we've got."
Even Michael Erbschloe, vice president at Computer Economics and the
author of the company's estimates of the amount of damage done by
viruses, admits the numbers are, scientifically, just a few steps up
the evolutionary ladder from a guess.
"We benchmark cleanup cost repeatedly and constantly, and we do as
well as we can to calculate the number of hits," Erbschloe said. "It's
less than perfect, but (it's) the best we can do with the resources we
These types of studies and estimates don't seem to take into account
such basic factors as, for example, the increase in PCs connected to
the Internet. Almost 377 million computers worldwide were connected to
the Net, and thus susceptible to attack, by the end of 2001, according
to market researcher IDC. That's up from 241 million in 1999 and is
expected to reach 704 million in 2005. By those numbers, reported
attacks could proportionally stay constant but double in actual volume
Another problem, said Power, is that many companies never mention
attacks they've suffered. And that leaves decision makers--ranging
from corporate execs to senators--listening instead to the hype in the
The conflicting data and lack of guidelines leave security
professionals with only their own anecdotes to convince executives to
boost security, said Greg Shipley, chief technology officer with
network protection firm Neohapsis,
For example, Shipley voiced incredulity at Computer Economics
estimates that pegged the I Love You virus at 14 times more damaging
than the September attack of the Nimda worm. "Nimda scared us the
most," he said, adding that the company spent days cleaning up
clients' computers after Nimda. I Love You, on the other hand, was far
easier to mop up after.
"When you have to sell management on why they should be shelling out
serious bucks for security, you need hard numbers--or at least harder
numbers than we have now," Shipley said.
Rob Rosenberger, a hoax debunker and virus historian for the Virus
Myths Web site, went a step further, calling the science behind the
scarce data currently available "napkin math."
In the end, he added, while companies need more information to track
the threats and help them make budgeting decisions, security companies
might not need--or want--better data.
"It's an interesting philosophical question," he said. "It would be
like tobacco companies saying we don't even want to do tests to see if
smoking is bad."
Mail an infowar -
- infopeace -
de mit "unsubscribe" im Text.