Any one responsible for the security of a trusted network will be connected when connecting it to a distrusted network. In the case of connections to the Internet this concern may be based largely on anecdotal evidence gleaned from widespread media coverage of security breaches. A closer inspection of the facts and statistics behind some of the media coverage will , however only serve to deepen that concern. For example, the US National Computer Security Agency (NSCA) asserts that most attacks to computers systems go undetected and unreported, citing attacks made against 9000 Department of Defence computers by the US Defence Information Systems Agency (DSIA). Those attacks had an 88 per cent success rate and went undetected by more than 95 percent of the target organizations. Only 5 percent of the 5 percent that detected an attack, a mere 22sites, reacted to it.
It is noteworthy that these sites belong to the US Department of Defence (DOD) and were not commercial sites, which may give security less priority than the DOD. NCSA also quote the FBI as reporting that in more than 80 percent of FBI investigated computer crimes, unauthorized access was gained through the Internet.
Putting a value on the damage done by such attacks is difficult but a 1995 survey conducted by Ernst & Young, a New York based accounting firm, reported that one third of businesses connected to the internet reported up to 100 000 USD in financial loss over a two year period due to malicious acts by computer users outside the firm. A little more than two percent of connected companies reported loss more than 1M USD.
There is amazement in the computer security industry at the level of ignorance to the problem. To understand the risk often involves a steed learning curve and they have few real parallels in everyday life, for example nobody worries that a burglar will be able to trick their front door into opening by posting cryptic messages through the letterbox. When there is a good “hacker” story to report the press goes into frenzy, but the general level of awareness is still surprisingly low. For example the Sunday Times which pride itself on providing accurate coverage of IT issues published an article recently that claimed that most businesses worry to much about Internet security. The article goes on to explain that encryption is all that is needed to be completely secure. The article focuses purely of communication and completely misses the possibility of an attack originating from the Internet.
Despite fear about security, organizations are increasingly coming to regard a presence on the Internet as an important part of their strategic planning. Security concerns will not be allowed to prevent organizations from exploiting the commercial opportunities the Internet is perceived to offer. As a result organizations have to find ways to manage the security issue. This ties growth in the Internet Security market directly to growth in the Internet. The compound annual growth rate (CAGR) of the Internet firewall market between 1995 and 2000 is projected to be 174% driven by rapid growth of both the Internet, and the Intranet. The most significant trend driving this growth is the rapid and aggressive deployment of World Wide Web servers for both Internet and Intranet use. Unit shipment of web servers software are expected to grow from 127 000 units in 1995 to just more than 5 million units in 2000. Although the IT industry has traditionally enjoyed rapid development this level of growth is unprecedented. It is difficult to separate figures for the European and UK firewall markets from the world wide statistics quoted in the literature. 1996 may see similar levels of activity in Europe and the UK to those seen in the USA in 1995. A 1995 survey of government agencies and fortune 500 companies conducted by the Computer Security Institute found that while 78% of respondents used the Internet, 39% did not have a firewall. Similarly 40% of the audience at a February 1996 NSCA conference devoted to firewalls and Internet security did not have a firewall.
Given that approximately 40% of the fortune 500 companies using the Internet have still to install a firewall and that the Internet continues to double annually, it is a little surprise that the security auditing business is booming. Organizations are finding that they do not have the in-house skills or knowledge necessary to assess either the current situation or the potential risk, and are wrestling with what level of security they require.