Security Incident Statistical Analysis

Can anyone point me in the direction of a report or survey which would
enlighten me on the type/number of security breaches occurring within
US companies? I am trying to persuade management here to take this more
seriously. Thank you in advance for any help.

cjj3520@aol.com

Try going to cert.org.
http://www.cert.org/summaries/

That's a good place to start.
BTG

--
Boston Technology Group
http://www.bostontechgroup.com

bostontechgroup

I've seen bits and pieces of data out of Gartner reports ...
http://www4.gartner.com/RecognizedUser ... you might contact them and yes
it will cost ... but ... it'll support your argument a lot better than say
the stuff floating around depending on imo who's trying to sell you what ...
e.g. a scanner vendor might say 73.9 % vulnerabilities are due to OS
misconfiguration ... who knows ... maybe that's about right ???

<> wrote in message
news: oups.com...
> Can anyone point me in the direction of a report or survey which would
> enlighten me on the type/number of security breaches occurring within
> US companies? I am trying to persuade management here to take this more
> seriously. Thank you in advance for any help.
>

bowgus

On 13 Dec 2004 08:11:49 -0800, wrote:

>Can anyone point me in the direction of a report or survey which would
>enlighten me on the type/number of security breaches occurring within
>US companies? I am trying to persuade management here to take this more
>seriously. Thank you in advance for any help.
########################
Is it worth it to go crazy trying to convince them? Send them one
memo and then forget about it.
donnie.

donnie

donnie wrote:
> On 13 Dec 2004 08:11:49 -0800, wrote:
>
>
>>Can anyone point me in the direction of a report or survey which would
>>enlighten me on the type/number of security breaches occurring within
>>US companies? I am trying to persuade management here to take this more
>>seriously. Thank you in advance for any help.
>
> ########################
> Is it worth it to go crazy trying to convince them? Send them one
> memo and then forget about it.
> donnie.
Every "company" should be concerned about security. Everything from
real property to intellectual property is at stake. There are incidents
reported recently of competitors paying hackers to interfere or steal
other companies secrets.

Additionally while most home users (there is legislation in congress to
make even home users responsible, whether or not they knew their system
was compromised, not sure of bill status) may not be held liable
responsible for damage their systems do, if that companies computers
were used to launch an attack against another they could be liable for a
portion of the damages. The damages could vary depending whether gross
negligence was involved. If your company is not worried about security,
you better go job hunting, it will not be in business for long if their
business relies on web and web commerce. To write a memo and forget it
is not my recommended approach.

It will be far easier to show them if you have any responsibilities
associated with the network. In your cost analysis you might want to
consider the cost of contracting out that maintenance. In many small
companies without dedicated IT staff this is an economical method to
deal with security issues.

Winged

winged

On 13 Dec 2004 21:12:01 EST, winged <> wrote:

>Additionally while most home users (there is legislation in congress to
>make even home users responsible, whether or not they knew their system
>was compromised, not sure of bill status) may not be held liable
>responsible for damage their systems do, if that companies computers
>were used to launch an attack against another they could be liable for a
>portion of the damages.
##########################
They want to make us responsible for drunk drivers too saying that we
are supposed to take away the keys. Guess what. It's not my problem.
My father is in his 80s. He has no clue how to secure his PC other
than what I tell him. Noone is going to hold him responsible, nor
should they.
donnie

donnie

donnie wrote:
> On 13 Dec 2004 21:12:01 EST, winged <> wrote:
>
>
>>Additionally while most home users (there is legislation in congress to
>>make even home users responsible, whether or not they knew their system
>>was compromised, not sure of bill status) may not be held liable
>>responsible for damage their systems do, if that companies computers
>>were used to launch an attack against another they could be liable for a
>>portion of the damages.
>
> ##########################
> They want to make us responsible for drunk drivers too saying that we
> are supposed to take away the keys. Guess what. It's not my problem.
> My father is in his 80s. He has no clue how to secure his PC other
> than what I tell him. Noone is going to hold him responsible, nor
> should they.
> donnie

I agree they shouldn't however the proposed legislation is being
formed. I never said it was a good idea. Especially since there is no
absolutely secure systems.

Winged

winged

Thank you all for the advice and comments.



winged wrote:
> donnie wrote:
> > On 13 Dec 2004 21:12:01 EST, winged <> wrote:
> >
> >
> >>Additionally while most home users (there is legislation in
congress to
> >>make even home users responsible, whether or not they knew their
system
> >>was compromised, not sure of bill status) may not be held liable
> >>responsible for damage their systems do, if that companies
computers
> >>were used to launch an attack against another they could be liable
for a
> >>portion of the damages.
> >
> > ##########################
> > They want to make us responsible for drunk drivers too saying that
we
> > are supposed to take away the keys. Guess what. It's not my
problem.
> > My father is in his 80s. He has no clue how to secure his PC other
> > than what I tell him. Noone is going to hold him responsible, nor
> > should they.
> > donnie
>
> I agree they shouldn't however the proposed legislation is being
> formed. I never said it was a good idea. Especially since there is
no
> absolutely secure systems.
>
> Winged

cjj3520@aol.com

I do wish you luck, getting accurate results. Most companies, whether
privately held, or Public, are going to publish breaches in information
security. I know, as an IT manager, that I would be very hesitant to report
a breach to anyone outside my company...unless it was for training purposes.
There is no "UPSIDE" for companies to say they were hacked. That is like
posting they are incompetent. No one is going to admin that, unless they
are forced into it.

EDOOD