RealTime IT News

RSA Unveils 'Internet Insecurity Index'

SAN FRANCISCO -- You are not as safe surfing the Web this year as you were last year, according to a recent consensus of online security experts.

To help keep track of problem, online encryption firm RSA Monday launched its "Internet Insecurity Index" -- a simple one-to-ten scale that measures how secure electronic data is each year. Given the amount of attacks, Jim Bidzos Chairman of Conferences currently ranks 2003 at about a 6 and a half.

"We have gone from a 5 to 6-plus in the last 12 months," Bidzos said to attendees at the RSA Security conference here Monday. The four-day forum is designed as a clearinghouse of information about making the Internet more secure. "Basically, nothing is safe," he said.

Analysts with IDC have already predicted that some major cyber terrorism event will disrupt economy this year. Bidzos pointed to more than 62,000 hacking incidents last year as a rally cry for better safeguards. In addition to commonplace server strikes, Bidzos said ATM and wireless networks are the new target of hackers. The increasing amount of incidents recently prompted the CERT Coordination Center to call 2002 the "golden age of hacking."

"Part of the price is not having security designed in the first place," Bidzos said. "We found 30 percent of ISPs have no info security plans in place with 33 percent deciding that online security is not a priority."

The threat index also identifies last year's $59 billion in data theft as a major impact on how safe the Internet is. Experts say identity theft is fastest growing area with Australia citing ID theft as a $4 billion problem. Recently, a New York ring netted that netted $7 million was exposed. Nineteen people were charged.

"It's getting so that Internet fraud growth is exceeding Internet growth," Bidzos said. "The interesting possibility is that people may stop doing things online that have to do with e-commerce because of it."

The one bright area, according to RSA's index report was the U.S. government.

Bidzos said the creation of Homeland Security and a national strategy to secure cyberspace marked a turning point in how the government is dealing with online threats. California's move to require companies to publicly disclose security breaches may also have a major impact on how well companies secure their networks and data.

"If they know that they have to make that security disclosure putting people on notice that there is a problem, they can't sweep this under the rug," Bidzos said.

Former Clinton National Security Advisor Samuel "Sandy" Berger said overall, government supports strong encryption but the government needs to put its money where its mouth is.

"We have the money to do that (protect cyberspace) because it's national security," he said.

In related news, the Electronic Privacy Information Center (EPIC) set up a new Privacy Threat Index to track the growing threat to privacy resulting from the expansion of government surveillance. The alert system is similarly structured to the five-color alerts used by the Department of Homeland Security. Based on developments during the past year, EPIC assessed the current level as Yellow.

"It will be interesting to see how the two progress," Bidzos said.

In addition to tracking the Internet's insecurity, the conference is also focused on new Web services security specifications.

The Liberty Alliance Tuesday unveiled drafts of its Phase 2 specifications of its Identity Federation Framework (ID-FF). On Friday the group submitted its first phase specification to the Organization for the Advancement of Structured Information Standards (OASIS) for use in future version of the SAML authentication language.

OASIS said it will define its Application Vulnerability Description Language (AVDL) as soon as next month. The XML-based technology would allow communication between products that find, block, fix, and report application security holes.

The Information Security Systems Association (ISSA) Tuesday also said it will take over the Generally Accepted Information Security Principles (GAISP) specification. The former Generally Accepted System Security Principles (GASSP) standard was authored in response to a 1990 U.S. National Research Council report, "Computers at Risk."