June 2003 Mfg.Trust

Mfg.Trust is a monthly feature of the
            NCMS InfraGard Manufacturing Industry Association
                        Infrastructure assurance for manufacturers
                                    Powered by NCMS.

This month – FBI/CSI Survey on Computer Crime

See the Resources Page for this Story 

Editor's Preface:

The Computer Crime and Security Survey is conducted annually by the Computer Security Institute (CSI) with the FBI participation. The survey, now in its eighth year, is the longest running survey in the information security field.

That notoriety draws both barbs and kudos.

The survey paints a compelling portrait of just how often crime occurs on computer networks, just how expensive such crime can be, and how little of it is reported to law enforcement. On the other hand, IT security professionals created it and are the principal respondents to, this survey. The stated aim of this survey is to raise the level of security awareness. Security companies, with products and services to sell, have been accused of generating most of the fear of being hacked on the Internet.

The Resources Page this month includes a healthy dose of contrary views. Be mindful that those contrary views can be driven by other vendors, such as emergency management and physical security consultants, who say they solve the *real* problem.

Amidst all this "energy" it's tough to make clear-headed decisions about securing systems to minimize damage. IMIA preaches a holistic approach to security. We’ll do our best to help you get there. The Resources Page  that accompanies this article is at http://trust.ncms.org (see Publications Index tab).

Please enjoy our article, a synopsis of this year’s report.

Editor

FBI/CSI SURVEY ON COMPUTER CRIME

Based on the responses of 530 computer security practitioners (85% commercial organizations, about one third from organizations with >10,000 employees) in U.S. corporations, government agencies, financial institutions, medical institutions and universities, the 2003 findings once again show that there is no shortage of attacks, but suggest this year that the severity and cost of these attacks has trended downward for the first time since 1999.

56% of respondents reported unauthorized computer use, but financial losses from such use dropped to $201 million from $455 million in previous years. That $201 million represents losses from only the organizations reporting. This number has been the traditional “headline grabber” of the survey in prior years. It is interesting that the number is down lately. More significant to your editor is that the number is still huge. Computer crime costs those who have something worth taking.

Theft of proprietary information caused the greatest loss at $70 million total, about $2.7 million per incident. Denial of service was second at $65million

Financial fraud was way down $10 million down from $116 million in prior years. Since the survey respondents tend to be IT security practitioners, who are represented more in larger corporations, the CSI survey concludes that the subset of those responding may be in better shape than the public.

Criminal Methods

Most prevalent form of abuse is viruses (82%) and insider abuse of network access (80%). These are two different crimes. Viruses are wanton violence, and deserve one sort of defense.

However, insider crime requires a different approach. A favorite IMIA theme has been "managing the trust of the trusted." Other Mfg.Trust articles (see http://trust.ncms.org, Publications Index) focus on that topic, and for good reason. If computer crime costs those who have something worth taking, it is often insiders, who understand the value and have access, who are doing the taking.

Security Technologies Used

Survey results show that virtually all use anti-virus software, firewalls, physical security and access control. Imagine what that means to those who don’t - ‘nuff said!

Newer technologies are being adopted by industry. Digital ID is in use by 49%, biometrics by 11% of respondents.

Please appreciate that about half of the responses come from quarters where it’s hardly surprising that computer security would be an important concern. So these usage figures are surely higher than the population on average.

Reporting to Law Enforcement

Only 30% reported to law enforcement double from previous years. Why? 53% said they were "not aware" that they could report.

It seems that attackers may reasonably infer that the odds against their being caught and prosecuted remain strongly in their favor. We at InfraGard must just redouble our efforts to dispel that notion.

InfraGard was created as a public-private partnership for networking and information sharing about critical infrastructure protection. A specific InfraGard goal is to increase communications between industry and law enforcement (including communications about criminal activity). InfraGard outreach and awareness programs (such as this Mfg.Trust feature story series) were created to let people know about the significant investments made by law enforcement to acquire the resources and skills to combat computer crime.

Conclusions

The CSI Survey is a valuable tool for assessing the scope of computer crime in the US. That assessment should cause industry leaders to examine their defenses.

The prevalence and cost of computer crime is ample reason for industry to engage with law enforcement to prevent crime where possible, and prosecute it where necessary. The InfraGard Manufacturing Industry Association serves that purpose well in the manufacturing sector.
 

The complete survey is published on the CSI website at www.gocsi.com

http://trust.ncms.org see Publications Index

If you liked Mfg.Trust, please forward it to a colleague in your company!

For questions, comments, or for NCMS Alliance Partners to request their own FREE subscription to Mfg.Trust, send e-mail to johns@ncms.org