Simply paying attention to who is accessing their networks could
help enterprises prevent the majority of attacks, a new study
shows. The study, which looked at data from Department of Justice
prosecutions from the last seven years, found that most of the
attacks involved in those cases could have been stopped had the
companies deployed systems to check the identity of the machines
connecting to their networks.
Pleasanton, Calif.-based research firm Trusted Strategies sifted
through DOJ records of cybercrimes between March 1999 and February
2006. The firm found that 84% of network attacks against companies
probably wouldn't have happened had companies implemented device
identification and authentication methods in addition to requiring
user names and passwords.
"We found that most devices connecting to the network were
unsanctioned by the company," said Trusted Strategies' Bill Bosen,
who spent a year and a half studying Justice Department records.
"If the companies had checked the individuals' devices as well as
their identity before letting them connect, most of these crimes
wouldn't have happened."
Most attacks in the last seven years involved stolen IDs and
passwords, and companies suffered anywhere from $1.5 to $10 million
in damage as a result, Bosen said.
The study also found that:
- The average financial loss was more than $3 million per
case
- Although the global damages of viruses can be high, the average
cost to an individual company from any single virus attack was
surprisingly low at $2,382. Despite this, Bosen said companies
still spend more on antivirus than identity and access
management.
- Cybercrimes hit most sectors of the U.S. economy, including
government, technology, online retail, financial services,
communications, education, manufacturing and healthcare.
Bosen said that in 88% of the cases, digital miscreants logged
onto one or more privileged user accounts and accessed IDs and
passwords by using network-sniffing tools and password cracking
programs.
"They also succeeded in their attacks by getting insiders to
share their IDs and passwords with co-workers who later left the
organization, and used that knowledge to gain access," Bosen
said.
Trusted Strategies conducted the study on behalf of Phoenix
Technologies Ltd., a Milpitas, Calif.-based vendor of
device-defining software. Dirck Schou, senior director of security
solutions for the company, said one case involved a disgruntled
employee who left the company but still had access. Using a
computer that was not sanctioned by the company, he was able to go
into the network and delete reams of data.
"The employee used stolen IDs and passwords to damage
intellectual property and company processes," he said. "It cost the
company $10 million in damages."
Schou said the lesson is that identity and access management is
about more than authenticating individual users. Their machines
must be verified as well.
"The workforce is increasingly mobile, doing work from home and
elsewhere," he said. "Because of this, IT managers need to leave
openings in the network. But they also have to implement a policy
that says they know every endpoint connecting to the network and
that those endpoints have the proper antivirus and firewalls."