Cybersecurity Incidents Expected to Increase
SAN JOSE, CALIFORNIA -- If you thought computer security was bad in 2001, you're not going to enjoy 2002. That was the message from
The 11th annual RSA Conference, which ended Friday, drew over 10,000 attendees to discover details about
Despite such major security incidents as the
In 2001, about 30 new software vulnerabilities were discovered each week, Wong said, marking a decrease in a trend that had seen the number of new vulnerabilities doubling every year for much of the late 90s. Wong expects that 2002 will bring a return to old growth rates, predicting that 50 new software security holes will be found each week in the coming year.
Along with forward-looking figures, Wong also provided a glimpse into the raw number of attacks that companies faced in 2001. Wong's company, SecurityFocus, sells a security threat analysis and warning service which draws its data from the intrusion detection systems of about 10,000 companies in 150 countries on six continents. From those companies, Wong was able to present some interesting data.
In 2001, SecurityFocus customers experienced a total of more than 129 million network probes, often a precursor to a network attack. They also faced more 29 million Web-based attacks, over 6 million denial of service attacks and about 154,000 Windows-specific attacks, he said.
The company's data also showed that, in what was likely not a surprise to some, Windows in all its versions is attacked more than any other operating system, with over 31 million security incidents in 2001. Following Windows, all versions of Unix run by SecurityFocus customers were attacked 22 million times and Cisco Systems' IOS operating system underwent over 7 million attacks, he said.
On the Web server front, Microsoft was again the most popular target.
Despite the large gap between the rates at which different products are attacked, "there is no way that you can buy anything, subscribe to anything, and say you're 100 percent secure," Wong said. "Security is a process, not a product."
That process, he said, should involve a security monitoring service, such as that offered by his company.
"We spend too much time fighting the last war when we ought to be trying to figure out what the next war is going to be," he said.