Even if 3mil machines are actively and currently
compromised,
of all reachable hosts on the Internet, it
would not be unreasonable
to assume that %80 or more are vulnerable to remote compromise
in some way. That number is speculative, but most
estimates from
consutling firms are much higher. (Based on hundreds if
not
thousands of penetration tests against corporate networks with
a %90+ success rate).
So of all possible 0wnable machines (including those without
basic
anti-virus protection) I would personally speculate that
the 3mil is
a pretty low estimate.
What these sort of stats mean is that ultimately, the Internet
is not
in a state in which security controls can easily be added,
mostly because
of the high degree of autonomy and relatively low level of
sophistication
of each host and user on the network. The other reality of
this is that
even if hackers aren't directly in control of that most
machines, it would
not be inaccurate to say that due to the intrinsic risks in
being connected,
users aren't really in control of their systems either.
Security tools are the same as any other software in that they
are controls
that you add to a system to optimize it and extract value from
it. These studies
show that there is still lots of room for optimization (read:
buy their software)
and the implication that there is value in those
optimizations.
So yeah, buy more software. ;)
--
Jamie.Reid, CISSP,
jamie.reid@mbs.gov.on.caSenior
Security Specialist, Information Protection Centre
Corporate Security,
MBS
416 327 2324
>>> "Sean Donelan"
<sean@donelan.com> 06/28/03 07:09pm >>>
http://www.vnunet.com/News/1141901Trustcorps
claims it has scientific and anecdotal resaerch supporting its
conclusion
that over three million computers are "owned" by malicious
groups.
On
the other hand, Information Risk Management questioned how any one
person
could "own" hundreds of computers at any one time. And systems
are
often not "owned" by a single group, but exploited by multiple
groups
Like most statistics, the "truth" is probably a little harder
to find, and
a little bit scarier.
The FBI estimates a car is stolen
every 27 seconds somewhere in the US.
In 2000, FBI Uniform Crime Report
statistics showed that 1,165,559 cars
were stolen; with an estimated value of
$7.8 Billion. Police apprehend
less than 15% of all auto
thieves.
Unfortunately this computer crime doesn't fit the FBI crime
reporting
statistics well. Vandalism of Property? Is the cracking
of computers
happening more or less often than car
theft?