CERT(sm) Coordination Center Statistics - ------------------------------------------------------------------------------ Number of: Information Incidents Mail Messages Requests Hotline Calls Year Reported(1) Received Received(2) Received(3) - ------------------------------------------------------------------------------ 1988 6 539 1989 132 2867 1990 252 4448 1991 406 9629 1992 773 14463 275 1995 1993 1334 21267 1270 2282 1994 2341 29580 1527 3664 1995 2412 32084 1683 3428 - ---------------------------------------------------------------------------- Footnotes (1) Please note that an incident may involve one site, or hundreds or thousands of sites. Also, some incidents consist of ongoing activity for long periods of time (more than a year). (2) Information requests have been tabulated beginning July 1992. This number does not include requests to be added to mailing lists. (3) Incoming hotline calls have been tabulated since January 1992. This number does not reflect total telephone activity related to incidents because outgoing calls made by CERT staff are not included. =============================== Comments on Trends in CERT Statistics Each year since The CERT Coordination Center was established in November 1988, we have seen dramatic increases in activity. The primary causes are * Increases in the number of Internet hosts * Corresponding increases in intruder activity * Increases in the Internet community's awareness of security issues and of the existence of the CERT/CC The 1995 statistics show a shift from previous trends. Incidents: The number of incidents reported to the CERT/CC continued to increase, but the growth rate has decreased for the first time. We believe the factors include * Existence of incident response teams that serve a specific constituency of the Internet community. Many incidents are now reported to these teams rather than to the CERT/CC. * Improved ability of site personnel to handle incidents directly. Sites with whom we have worked now handle some repeat incidents without reporting them to the CERT/CC. Note: The CERT/CC would still like to receive information about all incidents, even the ones sites handle themselves. This information enables the staff to build a "big picture" of intruder activity; we can then provide that broad view to the Internet community, increasing their ability to assess risk. * Increased facility for the CERT staff to identify related intruder activities from diverse incident reports. As a result, there are fewer separate incidents but more large, complex ones. What the statistics in this file do not show are the increased sophistication of the toolkits used by intruders and the way knowledgeable intruders share their expertise with novices. Hotline calls: In 1995, the CERT/CC has seen a decrease in the number of hotline calls received. We have encouraged sites to report incidents by encrypted email or FAX because written details enable us to provide better assistance. Because we support both DES and PGP, sites can report incident information by email without concern about the information being intercepted. Interestingly, in 1995 we saw an increase in the number of hotline calls from sites requesting information on how to connect to the Internet securely *before* the site actually connected. We hope to see this trend continue. =============================== Copyright 1996 Carnegie Mellon University. This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and the CERT Coordination Center is acknowledged. CERT is a service mark of Carnegie Mellon University.