I need to preface this with a disclaimer: I am not criticizing SANS for carrying the article. It's instructive, and that's always useful. I wish, however, that technology journalists were a bit more skeptical or clueful - and - as they say, "that's our story."
Reports of Cyber Incidents on the Rise
(February 17, 2009)
The number of cyber security incidents at federal civilian agencies reported to the US Department of Homeland Security's US-CERT has tripled since 2006. In fiscal 2008, 18,050 incidents were reported, compared with 12,986 in fiscal 2007 and 5,144 in fiscal 2006.
Agencies are required to report cyber security incidents under the Federal Information Security Management Act (FISMA); such incidents include unauthorized access, denial of service, malicious code, improper use, scans, probes and attempted unauthorized access. The significant increase over the last several years can be attributed to both an increase in malware and a heightened awareness of and ability to detect incidents.
Small Businesses Want Centralized Cyber Incident Reporting Organization
(February 19, 2009)
A report from the Federation of Small Businesses says that 54 percent of small businesses have experienced fraud or cyber crime over the last year. Although more than one-third of respondents do not report the incidents to police or to banks because they believe it would not make a difference, 53 percent of those surveyed would like specific information about how and where to report the incidents. Eighty-five percent of respondents said that they would make use of organizations established specifically to gather the information and use it to combat fraud. The average annual cost of cyber crime and fraud to small businesses in the UK is GBP 800 (US $1,140).
Let's start with the second article first, because it's less interesting. The headline should have said "UK small businesses" but that's a minor detail. Does this set off your stealth marketing alarm? It pegged the needle on mine; so I'd like to make a prediction: someone is out beating the bushes, right now, to start up that reporting center. Let's see if I'm right and, within the next year, someone announces that they're either member-funded (in which case they will quickly vanish) or government-funded and are offering that capability. Those of you who've been around information security since the early 1990's will remember the spectacular rise and fall of break-in reporting in the US, with attrition.org, CERT, and CSI/FBI publishing various statistics that meant - uh - various things. Usually, what they meant, to me, was "security reporting is a hard problem." ... And that's the topic of the first article.