2003 CSI/FBI cybercrime survey shows reduced losses

The CSI and the FBI have released their 2003 Computer Crime and Security Survey. This year's edition of the survey shows that economic loss from security incidents is way down. But not all of the findings are positive. Here's a recap and evaluation.

The eighth edition of the longest-running annual survey of computer crime and losses has recently been published by the Computer Security Institute. The study, which is conducted in cooperation with the San Francisco FBI office, is based on the results reported by 530 security specialists working in U.S. corporations and government agencies.

A lot of interesting data is contained in the detailed statistical analysis, which makes up the core of this year’s report. We're going to look at some of the most important findings.

Get your copy
The report is a treasure trove of useful information, and I urge everyone to download the complete 22-page CSI/FBI study for future reference. If nothing else, it will add weight to your arguments when you are working to improve security awareness.

Notable findings
Here are a few of the findings from the report that first jumped out at me:
  • The number of incidents remained about the same as in the 2002 survey, but overall economic loss was down significantly; losses due to financial fraud in particular were down by 90 percent.
  • Theft of proprietary information was reported as being responsible for the most financial loss, with the average reported loss pegged at about $2.7 million per incident.
  • Denial of service attacks were responsible for more than $65 million in total losses among those surveyed, making it second only to theft of proprietary data in total cost.
  • Insider attacks and system abuse followed virus infections as the top category of adverse events based on the number of incidents.
  • In a blow to crackers who think they can move into the mainstream, 68 percent of the respondents were strongly opposed to hiring reformed hackers.
  • The high incidence of virus attacks reported is also a bit surprising, since 99 percent of the companies surveyed reported using antivirus software. A full 98 percent also report using firewalls.

Other key points
Biometric technology has yet to make a real dent in the market, with only 11 percent of the security specialists reporting its use in their organizations. This almost certainly indicates a continued reliance on passwords as a major security measure, which may go a long way toward explaining why so many incidents continue to be reported.

More than half the respondents said that their Web site (as opposed to their network) was not attacked in the past year, but a surprising 22 percent reported that they didn’t even know whether they had been attacked. Vandalism (36 percent) and denial of service (35 percent) were the major kinds of Web site incidents for those companies reporting attacks.

Back when the survey began, fewer than one in five serious attacks were reported to authorities, but that percentage has doubled in recent years to around 30 percent. Of those who gave a reason for failing to report incidents, more than half said they didn’t know they could report incidents. But nearly three-quarters say that they don’t report incidents because they fear negative publicity.

The report speculates that so many companies said they didn’t know they could report incidents because they simply weren't sure which agency would have jurisdiction. This certainly remains a serious problem, with few local authorities being willing or able to pursue cybercrimes. In some cases, the Secret Service might be involved, but the FBI is often the only agency that would have both the capability to deal with this sort of crime and the jurisdiction. However, the FBI has been swamped with new antiterrorism duties since 9/11, and when it wants to pursue a nonviolent cybercrime, it often doesn't have the resources available.

When asked for his interpretation of the survey results, Special Agent Tom Grasso of the Pittsburgh FBI office pointed out that there was an “even split between unauthorized use by insiders and outsiders” and noted that a big percentage of respondents blamed disgruntled employees for the attack. He also reminded security specialists to consider past survey data when analyzing this year's results. "The authors of the study commented that this [year’s numbers] are in line with pre-2001 data, which could mean that 2001 and 2002 were just unusually high.”

Grasso is the FBI liaison with CERT and is the driving force behind the National Cyber-Forensics and Training Alliance (NCFTA), a partnership among law enforcement, academia, and industry that is working to improve cyberforensic skills.

Final word
The FBI generally has a trigger point of $5,000 for a cybercrime it will pursue. Given the number of incidents and the limited number of agent-hours that can be devoted to cybercrimes, this is certainly understandable. However, it’s important to remember that Cliff Stoll’s famous investigation detailed in The Cuckoo's Egg (1989), which turned up major holes in the highly sensitive Mitre Corp.’s phone system and ended up uncovering a spy, began with a discrepancy of only a few pennies.

Obviously, the initial monetary loss shouldn’t be the sole factor that determines whether authorities decide to investigate a particular cybercrime. Unfortunately, I can’t think of any other criteria that could be applied to better effect. So for the foreseeable future, companies will probably have to rely on internal resources to investigate most computer crimes. Outsourcing may be possible, but that would require companies to divulge sensitive data to outsiders, and in any case, there just aren’t that many trained cybersnoops available.

But companies can take one commonsense step to help prevent attacks: They can patch their systems. According to the CSI/FBI report, almost unbelievably, even companies that experienced serious computer system intrusions failed in nearly 10 percent of cases to patch the vulnerable systems. In the 2002 report, only 77 percent reported patching known holes that had been exploited. It might be interesting to ask some of them just what economic or other considerations kept them from patching a hole when they knew an exploit existed and had been used to successfully attack them at least once.

Clearly, organizations need to pay more attention to updating system settings so that they conform to best practices and to patching known vulnerabilities both before and after successful attacks. This is time-consuming, difficult, and expensive. But applying patches wastes less time than restoring systems and investigating incidents, it's easier than tracking down perpetrators and learning what has been compromised, and it's probably cheaper than having confidential data stolen.

Next year should be interesting
Since this survey is based in California, where a new law is about to go into effect that will require reporting in a number of circumstances, next year’s report should prove very interesting with regard to the number and kind of incidents reported.


Editor's Picks