Depending on whom you ask, attacks on systems and companies are either increasing, or companies are starting to do a better job of fending off those attacks.
According to Donovan Gow, vice-president of equity research with American Technology Research in Greenwich, Conn., the IT security picture, while gloomy, is not altogether bad. Various statistics suggest that the number and severity of attacks is slowly declining. He cited two studies that show the number of unauthorized uses of computer systems and computer vulnerabilities appear to be dropping over time.
According to the Computer Security Institute and the F.B.I., reports of unauthorized used of computer systems, meaning systems that were successfully breached and compromised, declined from 58 per cent in 2003 to 53 per cent in 2004. Another study from Frammingham, Mass-based CERT Coordination Center found that the number of computer vulnerabilities also declined by about eight per cent in 2003, and seems on track to be the same by the end of this year.
Gow said companies are notoriously reluctant to go on record about security breaches. Still, he said the numbers do show a consistency from year-to-year and cannot be easily dismissed. And since no companies are named in the studies, they may be more forthcoming than they would be otherwise.
However, no one is suggesting that companies let down their guard anytime soon.
Gregg Mastoras, senior security analyst for Sophos in Boston, Mass., said one distinct trend that emerged in 2004 was a rise in the number of target attacks against banks and other online institutions using viruses and Trojans. The “Banker-AJ” Trojan was used in Brazil in late October to quietly gather users’ online banking and login information. It cost Brazilian banks and consumers some US$30 million. The Trojan-based attack later appeared in Europe and North America.
While Windows-based systems remain the target of choice for hackers and virus writers, Mastoras suggested Unix systems will likely start to suffer more attacks next year.
“While Unix, in terms of the number of viruses (made for it) pales in comparison to Windows viruses, we think that will change,” he added. “I think a lot of companies in the past thought that since there were not a lot of Unix viruses out there that Unix servers did not need protection.”