Eighty-four percent of serious network attacks could have been prevented if, in addition to checking user ID and password, organizations had verified the identity of the computer connecting to their networks, according to a report by research firm Trusted Strategies. That report, commissioned by BIOS maker Phoenix Technologies, only covers cases where companies reported the incidents and federal officials were able to charge someone with a crime.
Among such cases, attacks that used stolen IDs and passwords caused greater damage than previously thought, said Bill Bosen, co-founder of Trusted Strategies and author the report, "Network Attacks: Analysis of Department of Justice Prosecutions 1999-2006."
The study analyzed data from all cases prosecuted and publicly disclosed by the Department of Justice between March 1999 and February 2006, Bosen said.
"We took the records from the U.S. Department of Justice after they had been through the legal system so we're very excited about the quality of the data," he said. "The data from this survey had been through the actual judicial process and there had been a lot of scrutiny."
Bosen said some of the report's findings were unexpected. For example, financial losses from attacks with stolen passwords far exceeded damages from worms, viruses and other methods, according to those cases prosecuted by the Justice Department.
Bosen said the average cost to an organization when privileged accounts were penetrated was more than US$1.5 million, compared to US$2,400 for any single virus attack.
"The findings were similar to other reports, but we also looked at how the intruder came in, what kind of computer he was using, who owned that computer and what was the relationship of that computer to the organization," he said. "What we found was that 80 percent of the attacks were coming from home computers that had no relationship to the organization at all."
Bosen said these crimes could have been prevented if the organization had checked the computer's identification and authentication as well as the individual's identification during logon.
"[The findings] are consistent with my own work," said Rob Enderle, principal analyst at Enderle Group. "Historically while virus attacks and malware tend to get the press largely because a single attack can cover a lot of companies, at the individual-company level, targeted attacks from amateurs are often vastly more damaging and that's what the study concluded. We have know for two decades now that passwords are an inadequate way to secure resources, yet we still use that as the primary method to identify users."