Thursday, 28 February 2008

Current Statistics on InSecurity - IDS

The following are a compilation of statistcs on a year by year basis. These are all in Australia and have been followed over a number of years.The columns are split by Year, into Industry and the numbers of organisations that have an IDS in place. This is divided further to HIDS (host based IDS) and NIDS (Network IDS). The firewall stats where published in the prior post. This is just that the system is in place. The statistics for those who monitor the system are lower (and looking at the logs on a monthly basis is not monitoring the IDS!).

Over the next week I will publish the statistics I have noted in audits and compliance work for this period. Following posts will include NIDS (those organisations using a network based IDS of some type - even if poorly), HIDS (those with something as simple as AIDES or Tripwire). In the next posts there will be a set of statistics by system.The systems I have been recording are:
  • Financal Systems Databases,
  • User Management Systems (Including Active Directory Domain server),
  • Key Critical System (this is the system with the highest loss or damage value for the organisation).
The results are listed from 2004 to 2007 with the number of systems that are compliant with the noted test against the number or organisations in the class (except in the case of 100% compliance which is listed). So a result of "89 / 102" means that 89 organisations of a total sample space of 102 clients are compliant. In the case of the firewall section, 89 organisations of the 102 would have a minimal firewall in place (or 87%).
Network and Host IDS as a fraction
Network and Host IDS as a percentage
Network Based IDS as a graph ploting changes over time
Host Based IDS as a graph ploting changes over time

The worst industries are retail and property. In the case where there is a requirement for PCI-DSS to be met, I have ignored these all together. I have seen 2 orgainsations that are compliance with PCI-DSS.

I have seen 45 organisations that have PCI-DSS requirements that need to be met. Of these, 2 met the compliance standards as they had minimal systems. On top of this, 2 organisations have filed that they are nowhere near meeting the standards and file as being non-complaince, but Visa has yet not done anything. A further 3 organisations have "lodged" with Visa/Mastercard and thier banks that they are non-compliance but working on getting there and have an extension. 17 organisations have "fudged the results" and 6 have - well let us just say misrepresented the truth.

No comments: