2010/2011 Computer CrIme and SeCurIty Survey - Gatton College ...

2010 / 2011 CSI Computer Crime and Security SurveyConcluding RemarksInformation security is both gradually improving—a trend we’ve seen for several years—and may be challengedby wholesale changes to the Internet that will threaten to send it rapidly spiraling out of control.CSI survey results from the past several years show plenty of good news. The percentages of respondentswho have seen various kinds of attacks has generally dropped over time. Half of respondents thisyear said they’d suffered no security incidents. And notwithstanding all the discussion and news regardingtargeted attacks, most respondents have seen no evidence of “advanced persistent threat” attacks.This year and last, however, responses to open-ended questions we asked about what respondentseither saw as growing concerns or desired as improved tools made it clear that what is needed is bettervisibility into networks, Web applications, and endpoints (particularly as those endpoints become increasinglymobile).Among current attacks, there are a growing number of highly sophisticated attacks (sophisticated at leastin comparison with the attacks of, say, five years ago—one is still sometimes amused by the mistakesone sees in malware, whether that software can change polymorphically or not). The attacks are alsomore malign. More money is lost when an attack is successful. More records are breached.And the field is changing to the attacker’s advantage. The move to more sophisticated Web applicationsthat expose more of an organization’s internal processes to the Internet continues, but many of theorganizations building these applications have neither an organized secure development approach norperform penetration tests that might uncover flaws before they are exploited.The infrastructure of the Internet, meanwhile, is undergoing three radical shifts as we speak. Virtualizationblurs the boundaries between servers and redraws network topologies, often without clear boundarieswhere firewalls traditionally might have kept watch. Cloud computing blurs the locality of data and runningprocesses. There are more questions about how this will ultimately play out than clear indications,but it’s an enormous wave of change that has really only just begun to arrive in full force. Finally, we are inthe throes of a massive expansion of the number of things in the world that have IP addresses. If one thetop desires of security professionals is to have better visibility into the security status of their networks,the explosion of endpoints is one of the primary reason why the are unlikely to get it anytime soon.Whatever may be coming, though, the primary takeaway of the survey (and, we would argue, of theother surveys and reports we’ve touched on here) is that the state of enterprise information security is,for the moment, stronger than people like to think. It may not last, and it won’t seem that way if yourorganization is unlucky enough to suffer a major data breach catastrophe. But, on the whole, attacks aredown, the effects of the attacks for average organizations are less pronounced, and our survey respondentsare reasonably satisfied with the tools they have at their disposal. Certainly ten years ago most of uswould have been absolutely delighted to achieve these results.40