North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Over three million computers 0wned?
Even if 3mil machines are actively and currently compromised, of all reachable hosts on the Internet, it would not be unreasonable to assume that %80 or more are vulnerable to remote compromise in some way. That number is speculative, but most estimates from consutling firms are much higher. (Based on hundreds if not thousands of penetration tests against corporate networks with a %90+ success rate). So of all possible 0wnable machines (including those without basic anti-virus protection) I would personally speculate that the 3mil is a pretty low estimate. What these sort of stats mean is that ultimately, the Internet is not in a state in which security controls can easily be added, mostly because of the high degree of autonomy and relatively low level of sophistication of each host and user on the network. The other reality of this is that even if hackers aren't directly in control of that most machines, it would not be inaccurate to say that due to the intrinsic risks in being connected, users aren't really in control of their systems either. Security tools are the same as any other software in that they are controls that you add to a system to optimize it and extract value from it. These studies show that there is still lots of room for optimization (read: buy their software) and the implication that there is value in those optimizations. So yeah, buy more software. ;) -- Jamie.Reid, CISSP, [email protected] Senior Security Specialist, Information Protection Centre Corporate Security, MBS 416 327 2324 >>> "Sean Donelan" <[email protected]> 06/28/03 07:09pm >>> http://www.vnunet.com/News/1141901 Trustcorps claims it has scientific and anecdotal resaerch supporting its conclusion that over three million computers are "owned" by malicious groups. On the other hand, Information Risk Management questioned how any one person could "own" hundreds of computers at any one time. And systems are often not "owned" by a single group, but exploited by multiple groups Like most statistics, the "truth" is probably a little harder to find, and a little bit scarier. The FBI estimates a car is stolen every 27 seconds somewhere in the US. In 2000, FBI Uniform Crime Report statistics showed that 1,165,559 cars were stolen; with an estimated value of $7.8 Billion. Police apprehend less than 15% of all auto thieves. Unfortunately this computer crime doesn't fit the FBI crime reporting statistics well. Vandalism of Property? Is the cracking of computers happening more or less often than car theft? <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=Content-Type content="text/html; charset=iso-8859-1"> <META content="MSHTML 6.00.2800.1106" name=GENERATOR></HEAD> <BODY style="MARGIN-TOP: 2px; FONT: 8pt Tahoma; MARGIN-LEFT: 2px"> <DIV><FONT size=1></FONT> </DIV> <DIV><FONT size=1>Even if 3mil machines are actively and currently compromised, </FONT></DIV> <DIV><FONT size=1>of all reachable hosts on the Internet, </FONT><FONT size=1>it would not be unreasonable</FONT></DIV> <DIV><FONT size=1>to assume that %80 or more are vulnerable to remote compromise </FONT></DIV> <DIV><FONT size=1>in some way. That number is speculative, but most estimates from </FONT></DIV> <DIV><FONT size=1>consutling firms are much higher. (Based on hundreds if not</FONT></DIV> <DIV><FONT size=1>thousands of penetration tests against corporate networks with </FONT></DIV> <DIV><FONT size=1>a %90+ success rate). </FONT></DIV> <DIV><FONT size=1></FONT> </DIV> <DIV><FONT size=1>So of all possible 0wnable machines (including those without basic </FONT></DIV> <DIV><FONT size=1>anti-virus protection) I would personally speculate that </FONT><FONT size=1>the 3mil is </FONT></DIV> <DIV><FONT size=1>a pretty low estimate. </FONT></DIV> <DIV><FONT size=1></FONT> </DIV> <DIV><FONT size=1>What these sort of stats mean is that ultimately, the Internet is not </FONT></DIV> <DIV><FONT size=1>in a state in which security controls can easily be added, mostly because</FONT></DIV> <DIV><FONT size=1>of the high degree of autonomy and relatively low level of sophistication</FONT></DIV> <DIV><FONT size=1>of each host and user on the network. The other reality of this is that </FONT></DIV> <DIV><FONT size=1>even if hackers aren't directly in control of that most machines, it would</FONT></DIV> <DIV><FONT size=1>not be inaccurate to say that due to the intrinsic risks in being connected, </FONT></DIV> <DIV><FONT size=1>users aren't really in control of their systems either. </FONT></DIV> <DIV><FONT size=1></FONT> </DIV> <DIV><FONT size=1>Security tools are the same as any other software in that they are controls</FONT></DIV> <DIV><FONT size=1>that you add to a system to optimize it and extract value from it. These studies</FONT></DIV> <DIV><FONT size=1>show that there is still lots of room for optimization (read: buy their software) </FONT></DIV> <DIV><FONT size=1>and the implication that there is value in those optimizations. </FONT></DIV> <DIV><FONT size=1></FONT> </DIV> <DIV><FONT size=1>So yeah, buy more software. ;)</FONT></DIV> <DIV><BR> </DIV> <DIV> </DIV> <DIV>--<BR>Jamie.Reid, CISSP, <A href="mailto:[email protected]">[email protected]</A><BR>Senior Security Specialist, Information Protection Centre <BR>Corporate Security, MBS <BR>416 327 2324 <BR>>>> "Sean Donelan" <[email protected]> 06/28/03 07:09pm >>><BR><BR><BR><A href="http://www.vnunet.com/News/1141901">http://www.vnunet.com/News/1141901</A><BR><BR>Trustcorps claims it has scientific and anecdotal resaerch supporting its<BR>conclusion that over three million computers are "owned" by malicious<BR>groups.<BR><BR>On the other hand, Information Risk Management questioned how any one<BR>person could "own" hundreds of computers at any one time. And systems are<BR>often not "owned" by a single group, but exploited by multiple groups<BR><BR><BR>Like most statistics, the "truth" is probably a little harder to find, and<BR>a little bit scarier.<BR><BR>The FBI estimates a car is stolen every 27 seconds somewhere in the US.<BR>In 2000, FBI Uniform Crime Report statistics showed that 1,165,559 cars<BR>were stolen; with an estimated value of $7.8 Billion. Police apprehend<BR>less than 15% of all auto thieves.<BR><BR>Unfortunately this computer crime doesn't fit the FBI crime reporting<BR>statistics well. Vandalism of Property? Is the cracking of computers<BR>happening more or less often than car theft?<BR><BR><BR><BR><BR></DIV></BODY></HTML>
|