RSA CONFERENCE, SAN FRANCISCO, CA., Wednesday, February 25, 2004 — Organizers of the RSA® Conference 2004, the world’s leading information security event, released the results of the 2nd annual Internet Insecurity Index during opening ceremonies at San Francisco’s Moscone Center on Tuesday, February 24, 2004. The RSA Conference Internet Insecurity Index is a compilation of key information security developments over the past year as reported by various news sources and agencies. While not a precise scientific gauge, it provides some measure of direction to help conference attendees and security industry professionals answer the question: Is information security improving? The higher the overall score in a given category, the higher the level of insecurity. The RSA Conference takes place February 23-27, 2004.

The RSA Conference Internet Insecurity Index is broken down into six general areas: Hacks, Attacks and Flaws; Threats; Internet, Crime and Fraud; Internet Users and ISPs; Information Security Industry; and Government. When evaluating events and issues within each category, a higher score equates to a higher level of insecurity. In 2003, the overall rating was a “6”. The index results for this year are detailed below, with some of the relevant findings:

Hacks, Attacks & Flaws:
• The number of incidents reported to the CERT coordination center increased 40 percent in 2003.
• In August 2003, enterprises saw a rapid fire of virus attacks – “Blaster” and “So Big” viruses came with a $3.5 billion price tag, and are estimated to be responsible for more than 2 million infections.
• Fifteen states enacted new spam legislation in 2003, resulting in a total of 38 states that now have some form of legislation on the books. The U.S. Congress also enacted the CAN-SPAM Act of 2003, providing for labeling requirements and opt-out instructions for unsolicited emails. The legislative activity has not yet provided users with an appreciable difference in spam messages.
RATING: 8 (same as last year)

Threats:
• Technology and government expansion of its online surveillance authority is making it easier to track and store data about people’s web habits. While some view efforts to authenticate users as counterintuitive to the anonymity which was the touchstone that built the web; others view it as a way to legitimize the web as a social and commerce tool.
• A recent survey sponsored by Business Software Alliance and the Information Security Systems Association found that 65% of information security professionals believe that their organizations are at risk of a major cyber attack in the next 12 months.
• Exploits are following an accelerated growth path. Three years ago, the time delay between discovery of a vulnerability and exploit was 500 days. Now it’s fewer than 40. (e.g., vulnerability exploited by the Blaster worm was discovered in less than 30-days before the worm appeared).
RATING : 8 (same as last year)

Internet Crime & Fraud:
• Identity theft tops last year’s Index as being the fastest growing Internet crime related segment. It’s back this year as the most common complaint received by the Federal Trade Commission. Internet-related fraud now accounts for 55% of the more than 500,000 complaints filed with the agency, up from 45% in the prior year.
• Hackers are successfully planting Trojan horse viruses in seemingly harmless email attachments. The Trojan horse allows the hacker to take over the victim’s computer and plant viruses, pornography or other illegal materials.
RATING: 8 (up from 7 last year)

Internet Users and ISPs:
• In the Internet users and ISPs portion of the index, poor patch management is a common theme, with many individuals and businesses failing to ensure that their computers have the latest patches from software companies – as was the case with the Blaster worm outbreaks – but also failing to take basic steps that would prevent dangerous data traffic from crossing their networks. Information security providers, Internet service providers and network administrators share blame here – and the industry recognizes that patches need to be easier to install and distribute.
• There is an inverse relationship between organizations strengthening security and a user’s desire for convenient access. The more corporations try to improve security, the more inconvenient the access becomes for users, and the more users unwittingly weaken the security system. (e.g., writing cryptic passwords on post-its and attaching them to computer screens; or losing passwords and then flooding the help desk with password reset calls). Strong security needs to become single and seamless for users.
RATING: 6 (same as last year)

Information Security Industry:
• Frustration can sum up how most users feel about Internet security in 2003. Advocacy groups are proposing everything from legislation that would allow customers to sue companies over security loopholes in products to new tracking systems that would make it impossible to use the web anonymously. The web is a truly international medium, limiting the enforcement ability of any regulations.
• Organizations are looking for relief from administrative burdens and overhead associated with maintaining multiple identities on disparate systems, and are looking to identity management systems to resolve these issues, and to help make them compliant with new laws and regulations such as the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act (“HIPAA”).
• In November, Microsoft announced the creation of the Anti-Virus Reward Program, initially funded with $5 million, to help law enforcement agencies identify and bring to justice those who illegally release damaging worms, viruses and other types of malicious code on the Internet. Microsoft has offered $250,000 rewards for culprits of the “Blaster,” “So Big” and “My Doom” viruses.
RATING: 6 (up from 4 last year)

Government:
• Critics snubbed the United States’ cyber-security policy (the National Strategy to Secure Cyberspace) as largely voluntary and lacking regulatory prescriptions. A coalition of government and private corporations says it is close to unveiling a framework and tools that will help bolster the nation’s vulnerable networks. The first product of their work will be released in March of this year.
• Ridge “a few lines of code:” In a speech to the IT industry, Tom Ridge emphasized that everything form electricity grids to banking transactions and telecommunication depends on security, reliable cyber-networks, and terrorist groups “know, as do we, that a few lines of code could ultimately wreak as much havoc as a handful of bombs.”
• In the annual report card of agencies' cyber-security programs, the Federal government "improved" its overall rating from an “F” to a “D” grade. Somewhat surprising was the “F” rating for the new Department of Homeland Security (“DHS”), whose mission includes promoting cyber-security nationwide. That score, the first for DHS, may be influenced by the agency's nascence and ongoing organization, having only opened its doors in March 2003.
RATING: 6 (was 4 last year)

The overall rating for the RSA Conference Internet Insecurity Index for 2004 was a “7”, indicating the landscape for information security has worsened slightly from 2003.

“Information security has become one of the most critical issues for industry, academic and government officials over the past year,” said Sandra Toms LaPedis, area vice president and general manager of the RSA Conferences. “The ratings identified in each category for the Internet Insecurity Index underscores the importance of events such as the RSA Conference, and the need for organizations to continue to focus on improving standards and technologies for the security industry.”

Sponsors, Registration and Attendance
Attendees can participate in more than 200 class sessions on solutions and best practices. They will also gain access to the largest information security exposition, including more than 250 vendors covering approximately 140,000 square feet. Sponsors of the 2004 RSA Conference include, Platinum Sponsors: Computer Associates, Hewlett-Packard, Microsoft, RSA Security, Sun Microsystems, Symantec, TippingPoint and VeriSign; and Gold Sponsors: Shavlik Technologies and Verdasys.

Full Conference fees include access to all four days of general sessions and class tracks, exhibits, evening receptions and giveaways. Qualified members of the media receive complimentary admission with advance registration. Registration and additional information are available on-site at Moscone North.

About the RSA Conference
Now in its 13th year, the RSA Conference brings together decision-makers and influencers from all major markets, including consumer, education, financial, government, computer networking, telecommunications, Wall Street and the media for one of the industry’s premier e-security and cryptography events. Later in the year, RSA Conference 2004 continues in Japan and in Europe. For more information, visit http://www.rsaconference.com/