IT Pros: Browser-Based Attacks On The Rise

According to the Computing Technology Industry Association's (CompTIA) second annual survey on IT security, attacks through the browser -- typically conducted by attackers by enticing users to malicious Web sites by e-mailing or IMing links -- showed the biggest percentage jump of any of the 15 threat categories posed to the nearly 900 IT professionals polled.

Such browser-based attacks try to trick users into disclosing personal information, including credit card number and bank accounts, or are the way hackers plant their own code on victims' computers.

In 2003, 36.8 percent of the IT workers surveyed said that their organization had suffered a browser-based attack in the last six months, up from just 25 percent the year before.

"These attacks are unleashed when someone visits a Web page that appears harmless, but actually contains hidden malicious code intended to sabotage a computer or compromise privacy," said Steven Ostrowski, the CompTIA executive responsible for assembling the survey's conclusions. "The result of the attack may be as simple as a crashed browser, or as serious as the theft of personal information or the loss of confidential proprietary data."

While attacks by worms and virus naturally still lead the concerns of IT staffers, they're less significant than a year ago. In 2003's poll, 68.6 percent labeled worms and viruses as the biggest threat, down from 80 percent the previous year.

Instead, browsers are the new nightmare, said Ostrowski, and if the trend continues, could rival worms and viruses in the damage they do to enterprise end users' systems, and to corporate and worker privacy.

Other threats, such as network intrusion issues, remote access problems (such as those that exploit virtual private networks, or VPNs), and exploits that use social engineering tactics (like posing as a user in the hopes of getting a username and password out of IT) are also on the downturn, said Ostrowski. Network intrusions, the IT pros polled reported, were off the most, with just 39.9 percent of them admitting that their organization had suffered one or more in 2003, a major decrease from the 65.1 percent who reported the same in 2002.

Not all the news from CompTIA's survey is on the sunny side, however. Like major security firms such as Symantec, CompTIA's numbers indicate a rapid rise in the number of severe security breaches even as the total number of attacks drop.

Almost 60 percent of the companies, educational facilities, and government agencies polled said they'd been hit by a severe breach in 2003, "severe" defined as one that caused real harm, resulted in the loss of confidential information, or interrupted operations. In 2002, only 38 percent reported one or more such severe incidents.

It may be because the human element -- human error on the part of IT staffers, or human error combined with a technology glitch, are the reason for over 80 percent of the security breaches, said the survey -- hasn't been tamed.

"That's the most surprising thing about this year's survey," said Ostrowski, "that the human element is still in play." Even though more organizations have security policies in place and are updating those policies regularly, he said, the human error problem hasn't been licked.

According to the surveyed IT professionals, one way to stop errors on the part of IT staffers is to push more training and certification on them.

The vast majority of organizations CompTIA surveyed said they believe that security training and security certification are key steps to help them improve their ability to identify potential risks and implement better security. Training got an almost universal nod (95 percent) as a solution, while certification -- the Certified Information Systems Security Professional, or CISSP, Certification was the one more often mentioned by those polled -- as almost as widely recognized (75 percent) as a way to get a grip on the human element component of security problems.

In fact, organizations with at least a quarter of their IT staff trained in security are less likely to have had a security breach than those with less than a quarter of their IT staff trained, the poll showed. While 46 percent of companies with that minimum of security-trained IT staff reported a breach in 2003, 66 percent with said their firm had suffered at least one security incident.

Budgeting for security training and certification is money well spent, the polled IT professionals concluded. The median value of an estimated return on investment (ROI) per trained employee is $20,000 per year, Ostrowski said, while the median ROI for certification is $25,000 per year.

This story courtesy of TechWeb.