Directives and Legislation

(1)

Cybercrime against Businesses, 2005

Findings from the

National Computer Security Survey

Ramona R. Rantala Bureau of Justice Statistics

September, 2008

Directives and Legislation

• The National Strategy to Secure Cyberspace, Priority II: A National Cyberspace Security Threat and Vulnerability Reduction Program:

“DOJ and other appropriate agencies will develop and implement efforts to reduce cyber attacks and cyber threats through . . . developing better data about victims of cybercrime and intrusions in order to understand the scope of the problem and to be able to track changes over time.” (A/R 2-1)

(2)

Partnerships

• DHS

– National Cyber Security Division – U.S. Secret Service

• DOJ

– Computer Crime and Intellectual Property – FBI Cyber Security Squad

• Other supporters

– www.ojp.usdoj.gov/bjs/survey/ncss/ncss.htm • Data collection agents

– RAND Corporation – Market Strategies, Inc.

National Computer Security Survey

• Measure nature and prevalence of cybercrime • Quantify losses

• Reveal vulnerabilities

(3)

NCSS Universe, Sample, and Response

NCSS Universe, Sample, and Response, by Company Size, 2005

Response Number of businesses 27 1,893 7,044 12,143 1,000 or more 25 2,894 11,472 98,585 100 to 999 22 1,236 5,601 396,355 25 to 99 18 2,056 11,479 6,771,026 2 to 24 % 23 8,079 35,596 7,278,109 All businesses Rate Response Sample Universe Number of employees

Highest and Lowest Response Rates

(4)

NCSS Data

• Represents more than 8,000 businesses • Covers 36 economic sectors

• Is the most comprehensive data available on—

– Nature of computer security incidents – Prevalence by industry and type of incident – Monetary losses

– Downtime

– Types of offenders

– Reporting incidents to authorities – Vulnerabilities leading to breaches

The Nature of Cybercrime

• Cyber attacks

– All or part of the computer system is the target

• Cyber theft

– A computer was used to illegally obtain money, goods, or services

• Other computer security incidents – Spyware, adware, other malware – Phishing, spoofing

– Hacking

(5)

Prevalence of Cybercrime

Companies detecting incidents

% 24 1,792 7,492 Other % 11 839 7,561 Cyber theft 5 350 7,500 Vandalism 16 1,215 7,517 Denial of service 52 3,937 7,538 Computer virus % 58 4,398 7,626 Cyber attack % 67 5,081 7,636 All incidents Percent Number All companies Type of incident

Prevalence of computer security incidents among businesses, by type of incident, 2005

Prevalence of Cybercrime

0 10 20 30 40 50 60 70

All Cyber attack Cyber theft Other

(6)

Total Incidents

0 5,000,000 10,000,000 15,000,000 20,000,000 25,000,000

Number of incidents

Types of Loss

0 5 10 15 20 25 30 35 40 45

No loss Monetary loss only Downtime only Both

(7)

Total Monetary Loss

$0 $100,000 $200,000 $300,000 $400,000 $500,000 $600,000 $700,000 $800,000 $900,000

Monetary Loss (in thousands of dollars)

Total System Downtime

0 50,000 100,000 150,000 200,000 250,000 300,000 350,000

All Cyber attack Cyber theft (not collected)

Other

(8)

Unknown Cyber Offenders

0 5 10 15 20 25 30 35 40 45

Percent of companies

Suspected Cyber Offenders

0 10 20 30 40 50 60 70 80

Insider Outsider Other

(9)

Reporting Incidents to Authorities

0 10 20 30 40 50 60 70 80 90 100 Reported somewhere Within own business To another organization To law enforcement

Reasons Incidents Were Not Reported

0 10 20 30 40 50 60 Nothing to be gained Didn't think to report D.K. who to contact Ouside LE jurisdiction Negative publicity

(10)

Networks Most Commonly Accessed

0 10 20 30 40 50 60 70

Internet Local Area Network

Wide Area Network

Business laptop

Computer Virus Sources

0 10 20 30 40 50 60 70 80 90

25 to 99 employees 100 to 999 employees 1,000 or more employees

E-mail Internet Portable media Other

(11)

Most Common Computer Security—

In House • Disaster recovery plan • Corporate security policy • Physical security • Personnel policy • Business continuity plan Outsourced • Intrusion testing • Vulnerability/risk assessment

• Disaster recovery plan • Periodic audits

• Network watch center

In-House Versus Outsourced Security

0 10 20 30 40 50 60 70 80

Physical security Equipment decommissioning

Personnel policy Network watch center

In-house Outsourced

(12)

Future Plans

• Scale down questionnaire

• Survey a sample of industries each year • Explore mandatory reporting requirements

Contact

Ramona Rantala

Statistician

Bureau of Justice Statistics Department of Justice (202) 307-6170

(13)

For Your Reference

Risk Levels

• Critical infrastructure

– Agriculture

– Chemical and drug mfg – Computer system design – Finance

– Health care

– Internet service providers – Petroleum mining and

(14)

Risk Levels (continued)

• High risk

– Manufacturing, durable – Manufacturing,

non-durable goods – Motion picture and

sound recording – Retail

– Scientific research and development – Wholesale • Moderate risk – Accounting – Advertising – Architecture and engineering – Business and technical schools – Insurance – Legal services

Risk Levels (continued)

• Low risk

– Accommodations – Administrative support – Arts & entertainment – Construction

– Food services

(15)

Highest Prevalence of Cybercrime

• Telecommunications (82%)

• Computer system design (79%)

• Manufacturing, durable goods (75%) • Chemical and drug manufacturing (73%) • Manufacturing, non-durable goods (72%) • Business and technical schools (72%) • Publications and broadcasting (71%)

Highest Prevalence of Cyber Attacks

• Computer system design (72%)

(16)

Highest Prevalence of Cyber Theft

• Finance (33%)

• Internet service providers (21%) • Telecommunications (17%) • Computer system design (15%)

• Manufacturing, durable goods (15%) • Publications and broadcasting (14%) • Accommodations (14%)

Highest Prevalence of Other Incidents

• Manufacturing, durable goods (32%) • Architecture and engineering (31%) • Chemical and drug manufacturing (27%) • Wholesale (27%)

(17)

Lowest Prevalence of Cybercrime

• Forestry, fishing, and hunting (44%)

• Agriculture (51%) • Food services (54%) • Accounting (55%)

• Petroleum mining and manufacturing (56%)

Lowest Prevalence of Cyber Attacks

• Agriculture (40%)

• Forestry, fishing, and hunting (40%) • Accounting (47%)

(18)

Lowest Prevalence of Cyber Theft

• Forestry, fishing, and hunting (3%)

• Warehousing (4%) • Social services (5%) • Agriculture (6%) • Advertising (6%) • Legal services (6%)

Lowest Prevalence of Other Incidents

• Food services (15%)

• Forestry, fishing, and hunting (16%) • Accommodations (16%)