1, Its RC1, and u will find bugs.
2. SP2 breaks all anti virus products, and it should not be used in a production inviroment
3. Damn if you do, damn if you dont. There will allways be customers that do not like a product. But hey, feel free to use linux or any other operating system.

4.There are two large problems security and system administrators need to overcome. First, management often believes that the computer security threat is not a great enough risk to justify funds for protective measures. Second, there is a general misunderstanding of how complex the problem of computer security really is and how many resources are required to adequately defend against attacks. For example, firewalls are necessary components of a security architecture, but firewalls alone do not protect networks. An improperly configured firewall or a firewall without other security measures in place can be worse than an open system if it provides the company with a false sense of security.

For the last six years the Computer Security Institute (CSI) has performed a survey in cooperation with the Federal Bureau of Investigation's (FBI) Computer Intrusion Squad to help determine the extent of computer crime in the United States. In March 2001, CSI published its “2001 Computer Crime and Security Survey,” which is based on responses from 538 computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions, and universities. Of those organizations surveyed, 91 percent reported detecting computer security breaches in the last 12 months[1] and 97 percent of those polled had Web sites. Of those with Web sites, 23 percent reported suffering an attack within the last 12 months and 27 percent did not know if they had experienced an attack. Of those reporting attacks, 21 percent reported two to five incidents and 58 percent reported ten or more.

[1] Power, Richard. 2001. 2001 CSI/FBI Computer Crime and Security Survey. San Francisco: Computer Security Institute.

These statistics may be alarming, but the actual state of computer security may be worse than the statistics suggest. Many organizations are still not equipped to detect security breaches. Only 61 percent (up from 50 percent in 2000) of those polled in the CSI survey reported using intrusion detection. Thus, it is likely the actual number of attacks and losses are greater than those reported. While it appears that organizations are starting to implement more security controls, security incidents and losses continue to grow. This could be due to the fact that the security products are not implemented correctly or that the proper policies and procedures are not built around them. In the 2001 CSI survey Patrice Rapalus, CSI director, provided this insight on why incidents and loss continue to grow:

The survey results over the years offer compelling evidence that neither technology nor policies alone really offer an effective defense for your organization… . Organizations that want to survive need to develop a comprehensive approach to information security embracing both the human and technical dimensions.[2]

[2] Power, Richard. 2001. 2001 CSI/FBI Computer Crime and Security Survey. San Francisco: Computer Security Institute, p. 1.

Organizations were also asked to estimate the financial damages they suffered as a result of the security breaches. Although 64 percent reported financial damages, only 35 percent were able to quantify the losses. Table 1-1 shows the results. Although the $377,828,700 in reported damages seems an enormous number, it is important to note that this reflects the damages suffered by a mere 186 organizations (35 percent of those surveyed). Considering the number of computer-using organizations in the country, the overall cost of computer security breaches must be vastly greater.

Not only is the problem bad, it appears that it is getting worse. In the years 1997–1999, the average damage due to break-ins was $120,240,180. The year 2000 losses were more than double that average. The losses continued to increase in the year 2001, with a more than 42 percent increase over the year 2000 losses despite 87 fewer organizations reporting losses.[3] Table 1-2 shows the results of the CSI survey over the last five years. Although some of the increased reported damages in the 2001 survey come from improved detection and reporting, a large portion of the increase is due to increased hacker activity.

[3] Power, Richard. 2001. 2001 CSI/FBI Computer Crime and Security Survey. San Francisco: Computer Security Institute.

The reported sources of the attacks were also interesting. External attacks continue to be more common, but the threat from internal sources is still there—49 percent of the respondents reported attacks from internal sources. Internet connections were frequent targets, as stated by 70 percent of the respondents, while 31 percent reported their internal systems were a common point of attack. Keep in mind that many companies more closely monitor Internet-connected systems for abuse and unauthorized activity than internal systems. Even considering this fact, the results support the reality that the threat from both internal and external sources is great. While the reported frequency of internal attacks is lower than that for external ones, internal attackers can often cause more damage due to their proximity to and knowledge of the systems.

Table 1-1. Losses Reported in Dollars by Type (for 2001)
Type Loss
Unauthorized insider access $6,064,000
Theft of proprietary information $151,230,100
Telecom fraud $9,041,000
Financial fraud $92,935,500
Viruses $45,288,150
Laptop theft $8,849,000
Insider abuse of Internet access $35,001,650
Denial of service $4,283,600
Sabotage $5,183,100
System penetration $19,066,600
Telecom eavesdropping $886,000
Active wiretapping $0
Other $0
Total $377,828,700
Source: Power, Richard. 2001. 2001 CSI/FBI Computer Crime and Security Survey. San Francisco: Computer Security Institute.

The CSI survey provides a wealth of information and statistics concerning computer crime and security. We have touched on just a small portion of the results that help illustrate the risks. You can obtain a free copy of the complete CSI survey by visiting www.gocsi.com.

Table 1-2. Total Reported Financial Losses by Year
Year Respondents (Number Reporting Losses/% of Total Respondents) Reported Losses
2001 186 respondents/35% $377,828,700
2000 273 respondents/42% $265,586,240
1999 161 respondents/31% $123,779,000
1998 216 respondents/42% $136,822,000
1997 331 respondents/59% $100,119,555
Total   $1,004,135,495
Source: Power, Richard. 2001. 2001 CSI/FBI Computer Crime and Security Survey. San Francisco: Computer Security Institute.

CSI is not the only organization whose surveys indicate a growing computer security threat. A global survey released in July 2000 of 4,900 information technology (IT) professionals across 30 nations, conducted by InformationWeek Research and fielded by PricewaterhouseCoopers LLP, predicts U.S. firms will suffer losses of over $266 billion this year from viruses and computer hacking.[4] The prediction for worldwide losses climbs to $1.6 trillion. The CERT Coordination Center maintains statistics for the number of incidents reported each year (www.cert.org/stats/cert_stats.html). In 2000 there were 21,756 incidents, which is more than double the number of incidents reported in 1999 (9,859 incidents). All these statistics indicate the threat appears to be growing, which calls for a renewed sense of urgency to address the security issues facing every company.

[4] PRNewswire. 2000. “Study Finds Computer Viruses and Hacking Take $1.6 Trillion Toll on Worldwide Economy.” Wire report, July 7.

The statistics are persuasive, but they are sometimes not enough to make the case for increased computer security. However, the statistics are not the only indication of increased computer crimes. Media outlets have started to take notice of computer crimes and have increased the reporting of system compromises, particularly attacks that involve well-known companies. Some of the attacks involve denial of service, stolen information, or other forms of loss.

In February 2000, many large Internet companies suffered major disruptions in service from distributed denial-of-service (DDoS) attacks. Denial-of-service (DoS) attacks generally involve trying to overwhelm or bring down a target system to make it unavailable for use. (DoS attacks are covered in greater detail in Chapter 21.) Yahoo.com, Amazon.com, ETRADE.com, Buy.com, CNN.com, eBay.com, and others were offline for hours combating the problem. These incidents brought great visibility to cyber crime.

Other well-known attacks also help illustrate the increase in computer crime. In October 2000, news sources reported an attack against Microsoft's internal systems, targeting its source code. In May 1999, the FBI investigated several hacking groups based in the United States. After the FBI seized a suspected teenage hacker's computer, several hacker groups retaliated by defacing government Web sites. At one point, a DoS attack caused the FBI Web site to be taken offline for seven days.[5] In January 2000, an Internet hacker threatened CD Universe, stating that if the company did not pay a ransom of $100,000 he would publish 300,000 credit card numbers he stole from its Web site. The company refused to pay the ransom and the hacker published over 25,000 credit card numbers. This attack destroyed consumer confidence in CD Universe and added to the mistrust consumers already have in online buying. Between the middle of 1999 and the beginning of 2000, computer viruses such as Melissa, I LOVE YOU, and Explorer.zip devastated corporate networks, forcing companies to shut down for days to combat the viruses. These viruses demonstrated the frailty of present-day virus scanners and how easy it is to get users to execute malicious code. The incidents also illustrated the problems and losses a company can suffer from an attack.

[5] Mell, Peter, and John Wack. 2000. “Mitigating the Hacker Threat.” Accessed on July 18, 2000, at the National Institute of Standards and Technology Web site, http://csrc.nist.gov/publications/nistbul/itl00-06.txt.

Web-site defacements are one of the most prevalent security incidents. Hundreds of defaced Web sites are posted on hacker sites each month. Attrition.org (www.attrition.org) and 2600 (www.2600.org) are two of many sites that contain defaced Web-site archives. The archives contain a listing of sites that have been defaced and in some instances display a copy of the defaced site. Figure 1-1 shows an example of the listings of defaced Web sites from Attrition.org. Defacements may consist of impolite messages, a hacker's claim to fame, pornographic material, or other embarrassing information. Even in cases where an attack is not destructive, the loss of confidence in the organization's ability to protect sensitive data will drive customers away.

This information should be sufficient to make a strong case for putting information security in the forefront of an organization's IT strategy. Most security professionals are already aware of the risks facing IT managers today. However, there is no way security and system administrators can both satisfy their job requirements and proactively secure their systems without user and management support. A good way to gain support is through effective security awareness training that is both convincing and constant. Users need to be continually reminded of the dangers of lax security and what they can and must do to protect against these problems. Security programs and policies must be designed to be easy to use and follow, and they must be enforceable

Source:

Hack I.T.: Security Through Penetration Testing

T. J. Klevinsky Scott Laliberte Ajay Gupta Publisher: Addison Wesley

First Edition February 01, 2002
ISBN: 0-201-71956-8