Targeted Attacks, DNS Issues Hit Home in New CSI Report

Enterprises are beginning to feel the heat from two emerging classes of exploits that have emerged over the past year: targeted attacks and DNS vulnerabilities, according to a new study scheduled to be released next week.

The Computer Security Institute is preparing to release its 13th annual Computer Crime and Security Survey, which outlines the attitudes and experiences of more than 500 enterprise security professionals over the course of the last year. The full CSI report will be revealed in a webcast to be held on Oct. 8.

In a preview of the report, CSI director Robert Richardson said he was struck by the fact that 27 percent of the respondents to the 2008 survey indicated that their enterprises had been hit by a targeted attack -- defined as a malware attack aimed exclusively at the enterprise or at a small subset of the general business population --during the last year.

"We've heard a lot of warnings from security researchers about targeted attacks, but what this data says to me is that these attacks are really happening," Richardson says. "They may have been hypothetical a few years ago, but these are a reality today."

A similar reality is emerging in the Domain Name Server space, where the recent discovery of design flaws in the Internet's basic naming structure have allowed attackers to develop a new class of exploits. (See Vendors Issue Massive Simultaneous Patch for Common Internet Flaw.) Approximately 10 percent of CSI survey respondents said they have experienced DNS-related incidents, up 2 percent from last year.

"What's scary about that is that it's growing, yet the flaw is inherent in TCP/IP, and can't be easily patched," says Richardson. "This is a problem that's here to stay."

Incidence of several other attacks increased slightly between 2007 and 2008, including unauthorized access (up 4 percent), misuse of Web applications (up 2 percent), and theft or loss of proprietary information (up 1 percent).

While some threats are on the increase, CSI also found that others are on the downturn. Insider abuse dropped from 59 percent in 2007 to 44 percent in 2008, the largest shift recorded in this year's survey.

"I think there was a lot of hype around this last year, and now it's coming back to reality," Richardson says. Insider abuse numbers hovered at around 42 percent to 48 percent in 2005 and 2006 and then spiked last year, he noted.

Laptop theft, abuse of wireless networks, instant messaging abuse, and denial of service attacks also showed a drop-off. The average loss per respondent dropped to $288,618 after spiking upward to $345,005 last year, the report says.

Enterprises' responses to security incidents remained fairly consistent between 2007 and 2008 -- only 27 percent of respondents said they reported their incidents to law enforcement, and 23 percent did not report them outside of the organization. This year, however, CSI gave readers a new choice as to why they didn't report their incidents: The new top response was "Incidents were too small to bother reporting."

"There are so many reports out there that users are losing money hand over fist with every incident," Richardson observes. "But in reality, most companies are dealing with a lot of small incidents that just don't really seem to be worth reporting."

The full report will be available for free following the Wednesday webcast.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.