CSIFBI National Computer Crime Survey

1

• CSI/FBI National Computer Crime Survey

What State Business and Technology Managers Need
to Know Oregon State Controllers Division
2
CSI/FBI Survey

• Statistical data From the CSI/FBI 2002 survey
• Respondent evaluation
• Types of incidents
• Incident losses
• WWW site attacks
• Managing Business Risk
• Conclusions

3
CSI/FBI Survey
The Annual CSI/FBI Computer Crime Survey

• This annual survey was conducted by the Computer
  Security Institute (CSI) in association with the
  San Francisco Computer Crime Squad of the Federal
  Bureau of Investigation (FBI).
• Conducted Annually since 1996.

CSI/FBI 2002 Computer Crime and Security
Survey Source Computer Security Institute
4
CSI/FBI Survey
Intent of the CSI/FBI Survey

• To provide statistical data on the current state
  of both computer crime and computer security
• To help law enforcement agencies and information
  security professionals deal with the threat more
  effectively
• To further cooperation between law enforcement
  agencies and organizations by encouraging
  organizations to report computer crimes to
  appropriate authorities.

CSI/FBI 2002 Computer Crime and Security
Survey Source Computer Security Institute
5
CSI/FBI Survey
2002 Survey Respondents

• Questionnaires were distributed to 3,500
  information security professionals, 503 responses
  were received for a response rate of 14.
• The responses were anonymous.
• Job titles of respondents ranged from
  corporate information security manager
  and data security officer to senior
  systems analyst.
• Organizations surveyed included
  corporations, financial institutions,
  government agencies and universities.

CSI/FBI 2002 Computer Crime and Security
Survey Source Computer Security Institute
6
CSI/FBI Survey
Respondents by industry sector
CSI/FBI 2002 Computer Crime and Security
Survey Source Computer Security Institute
2002 503 Respondents/100
7
CSI/FBI Survey
Respondents By Number of Employees
2002 484 Respondents/96
CSI/FBI 2002 Computer Crime and Security
Survey Source Computer Security Institute
8
CSI/FBI Survey
Respondents by gross income
CSI/FBI 2001 Computer Crime and Security
Survey Source Computer Security Institute
2002 369 Responses/73
9
CSI/FBI Survey
Oregon State Controllers Division
Security Technologies Utilized, 1
2002 500 Respondents/99 2001 530
Respondents/99 2000 629 Respondents/97 1999
501 Respondents/96 1998 512 Respondents/98
Percentage of Respondents
CSI/FBI 2002 Computer Crime and Security
Survey Source Computer Security Institute
10
CSI/FBI Survey
Oregon State Controllers Division
Security Technologies Utilized, 2
2002 500 Respondents/99 2001 530
Respondents/99 2000 629 Respondents/97 1999
501 Respondents/96 1998 512 Respondents/98
Percentage of Respondents
CSI/FBI 2002 Computer Crime and Security
Survey Source Computer Security Institute
11
CSI/FBI Survey
Oregon State Controllers Division
Unauthorized Activity during 2000
Percentage of Respondents
2002 481 Respondents/96 2001 532
Respondents/99.6 2000 585 Respondents/91 1999
512 Respondents/98 1998 515 Respondents/99 1997
391 Respondents/69 1996 410 Respondents/96
DONT KNOW
YES
NO
CSI/FBI 2002 Computer Crime and Security
Survey Source Computer Security Institute
12
CSI/FBI Survey
Number of Incidents 1 TO 5 6 to 10 11 to 30 31
to 60 Over 60 Dont Know 2002 42 20 8 2 5 23
2001 33 24 5 1 5 31 2000 33 23 5 2 6
31 1999 34 22 7 2 5 29 1998 61 31 6
1 2 n/a 1997 48 23 3 () n/a n/a 27 1996 4
6 21 12 n/a n/a 21 (2002 321
Respondents/64 2001 348 Respondents/65, 2000
392 Respondents/61, 1999 327 Respondents/63,
1998 234 Respondents/45, 1997 271
Respondents/48, 1996 179Respondents/425)
Note In 96 and 97, we asked only 11 or
more. Note In 96, we didnt ask this
question.
CSI/FBI 2002 Computer Crime and Security
Survey Source Computer Security Institute
13
CSI/FBI Survey
Number of Internal Incidents 1 TO 5 6 to
10 11 to 30 31 to 60 Over 60 Dont
Know 2002 42 13 6 2 1 35 2001 40 12 3 0
4 41 2000 38 16 5 1 3 37 1999 37 16 9
1 2 35 1998 70 20 9 1 1 n/a 1997 47 1
4 3 () n/a n/a 35 1996 n/a n/a n/a
() n/a n/a n/a (2002 289 Respondents/57 2001
311 Respondents/58, 2000 359 Respondents/55,
1999 308 Respondents/59, 1998 184
Respondents/36, 1997 218 Respondents/39,
1996 n/a) Note In 96 and 97, we asked
only 11 or more. Note In 96, we didnt ask
this question.
CSI/FBI 2002 Computer Crime and Security
Survey Source Computer Security Institute
14
CSI/FBI Survey
Number of External Incidents 1 TO 5 6 to
10 11 to 30 31 to 60 Over 60 Dont
Know 2002 49 14 5 0 4 27 2001 41 14 3 1
3 39 2000 39 11 2 2 4 42 1999 43 8 5
1 3 39 1998 74 18 6 0 3 xx 1997 43 1
0 1 () n/a n/a 45 1996 n/a n/a n/a
() n/a n/a n/a (2002 301 Respondents/60 2001
316 Respondents/59, 2000 341 Respondents/53,
1999 280 Respondents/54, 1998 142
Respondents/27, 1997 212 Respondents/41,
1996 n/a) Note In 96 and 97, we asked
only 11 or more. Note In 96, we didnt ask
this question.
CSI/FBI 2002 Computer Crime and Security
Survey Source Computer Security Institute
15
CSI/FBI Survey
Oregon State Controllers Division
Threat Axis
Percentage of Respondents
2002 481 Respondents/96 2001 384
Respondents/72 2000 443 Respondents/68 1999
324 Respondents/62 1998 279 Respondents/54 1997
391 Respondents/69 1996 174 Respondents/40
INTERNAL SYSTEMS
REMOTE DIAL-IN
INTERNET
CSI/FBI 2002 Computer Crime and Security
Survey Source Computer Security Institute
16
CSI/FBI Survey
Oregon State Controllers Division
Origin of Attack
Percentage of Respondents
2002 414 Respondents/82 2001 484
Respondents/91 2000 583 Respondents/90 1999
460 Respondents/88 1998 428 Respondents/83 199
7 503 Respondents/89
CSI/FBI 2002 Computer Crime and Security
Survey Source Computer Security Institute
17
CSI/FBI Survey
Oregon State Controllers Division
Observed Misuse and Attacks, 1
2002 455 Respondents/90 2001 452
Respondents/85 2000 581 Respondents/90 1999
405 Respondents/78 1998 458 Respondents/89 1997
492 Respondents/87
Percentage of Respondents
CSI/FBI 2002 Computer Crime and Security
Survey Source Computer Security Institute
18
CSI/FBI Survey
Oregon State Controllers Division
Observed Misuse and Attacks, 2
2002 455 Respondents/90 2001 452
Respondents/85 2000 581 Respondents/90 1999
405 Respondents/78 1998 458 Respondents/89 1997
492 Respondents/87
Percentage of Respondents
CSI/FBI 2002 Computer Crime and Security
Survey Source Computer Security Institute
19
CSI/FBI Survey
Oregon State Controllers Division
Number of Incidents resulting in Losses, 1
2002 404 Respondents/80 2001 344
Responses/64 2000 477 Respondents/74 1999 265
Respondents/51 1998 376 Respondents/73 1997
422 Respondents/75
Number of Respondents
CSI/FBI 2002 Computer Crime and Security
Survey Source Computer Security Institute
20
CSI/FBI Survey
Oregon State Controllers Division
Number of Incidents resulting in Losses, 2
2002 404 Respondents/80 2001 344
Responses/64 2000 477 Respondents/74 1999 265
Respondents/51 1998 376 Respondents/73 1997
422 Respondents/75
Number of Respondents
CSI/FBI 2002 Computer Crime and Security
Survey Source Computer Security Institute
21
CSI/FBI Survey
Oregon State Controllers Division
Reported Losses
CSI/FBI 2002 Computer Crime and Security
Survey Source Computer Security Institute
2002 223 Respondents/44
22
CSI/FBI Survey
Financial Losses Summarized

• Percent of Respondents who reported financial
  losses due to security breaches
• 1997 75, 1998 73, 1999 51, 2000 74,
  2001 64, 2002 80
• Willing and/or able to quantify their losses
• 1997 59, 1998 42, 1999 31, 2000 42,
  2001 37 2002 44
• Total dollar losses
• 1997 249 respondents, US 100,119,555
• 1998 241 respondents, US 136,822,000
• 1999 163 respondents, US 123,779,000
• 2000 273 respondents, US 265,589,940
• 2001 196 respondents, US 377,828,700
• 2002 n/a respondents, US 455,848,000

CSI/FBI 2002 Computer Crime and Security
Survey Source Computer Security Institute
23
CSI/FBI Survey
Oregon State Controllers Division
Attacks on WWW Sites (Last 12 months)
Percentage of Respondents

• 97 of respondents have WWW sites.
• 47 provide electronic commerce services via
  their WWW sites.
• 43 were doing e-commerce in 2000

2002 472 Respondents/94 2001 509
Respondents/95 2000 603 Respondents/93 1999
479 Respondents/92
CSI/FBI 2002 Computer Crime and Security
Survey Source Computer Security Institute
24
CSI/FBI Survey
Oregon State Controllers Division
Number of WWW Sites attacks
Percentage of Respondents
2002 244 Respondents/49 2001 211 Respondents/
40 2000 120 Respondents/ 18 1999 92
Respondents/ 18
CSI/FBI 2002 Computer Crime and Security
Survey Source Computer Security Institute
25
CSI/FBI Survey
Oregon State Controllers Division
Source of WWW Site Attacks
Percentage of Respondents
2002 209 Respondents/42 2001 163
Respondents/31 2000 153 Respondents/23 1999
125 Respondents/24
CSI/FBI 2002 Computer Crime and Security
Survey Source Computer Security Institute
26
CSI/FBI Survey
Oregon State Controllers Division
Type of WWW Site Attack
Percentage of Respondents
2002 Respondents/33 2001 78 Respondents/14 200
0 93 Respondents/14 1999 44 Respondents/8
CSI/FBI 2002 Computer Crime and Security
Survey Source Computer Security Institute
27
CSI/FBI Survey
Oregon State Controllers Division
Incident Response
Percentage of Respondents
2002 389 Respondents/77 2001 345
Respondents/64 2000 407 Respondents/63 1999
295 Respondents/57 1998 321 Respondents/72 1997
317 Respondents/56 1996 325 Respondents/76
CSI/FBI 2002 Computer Crime and Security
Survey Source Computer Security Institute
28
CSI/FBI Survey
Oregon State Controllers Division
Reasons that no Report was made
Percentage of Respondents
2002 143 Respondents/28 2001 151
Respondents/28 2000 209 Respondents/32 1999
107 Respondents/20 1998 96 Respondents/19 1997
142 Respondents/25 1996 64 Respondents/15
CSI/FBI 2002 Computer Crime and Security
Survey Source Computer Security Institute
29
CSI/FBI Survey
Oregon State Controllers Division
Would consider hiring former hackers as
consultants
Percentage of Respondents
2002 442 Respondents/88 2001 524
Respondents/98 2000 620 Respondents/96 1999
506 Respondents/97
CSI/FBI 2002 Computer Crime and Security
Survey Source Computer Security Institute
30

• Basic risk management
• Business risks should be managed and controlled.
• The cost of mitigating risk should be less than
  the losses associated with possible consequences.
• Taking risk should be offset by the
  calculated potential gains associated
  with assuming the risk.

31

• Types of business risk
• Investment risk
• Return on investment vs. Value of capital.
• Equipment capitalization
• New systems, services, reorganizations
• Operational risk
• Unforeseen costs of business operations.
• Maintenance costs
• Equipment upgrades
• Fraud abuse
• Unforeseen costs of critical incidents.
• Lawsuits
• Disaster / business continuity

32

• Business risks introduced by lack of information
  security
• Loss of operational capability
• Loss of critical information
• Institutional business information
• Confidential information
• Intellectual property
• Loss of client/customer confidence
• Negative public perceptions
• New regulatory/political requirements

33

• Four cost benefit steps
• 1. Identify your critical, confidential, and
  operational information (data/applications).
• 2. Quantify the value of your critical,
  confidential, and operational information.
• 3. Quantify acceptable losses associated with
  either the compromise or destruction of
  your information.
• 4. Quantify acceptable costs to secure and
  protect your information.

34

• Information risk confidence
• Minimize loss of confidential information
  (confidentiality).
• Maximize integrity of confidential and
  operational information (integrity).
• Maximize availability of
  operational information (availability).
• Minimize unnecessary expense.

35
Conclusions

• Critical information and associated information
  systems are the targets of entities external to
  your organization.
• Critical information and associated information
  systems may become the targets of
  entities internal to your
  organization.

36
Conclusions

• 100 information system security is impossible.
  Changes to technology services introduce new
  vulnerabilities.
• System confidence is achieved through intelligent
  priorities, and the effective use of business and
  technical policies.

37
Conclusions

• Leadership does matter
• Management inertia will not result in information
  system confidence.
• Information system confidence is the result of
  decisions made and implemented by business and
  technology leaders.

38
Resources

• CSI home page
• http//www.gocsi.com/homepage.shtml
• SCD fraud page
• http//scd.das.state.or.us/thefraudpage.htm
• SCD business continuity page
• http//scd.das.state.or.us/bcp/bcp.htm
• SCD e-commerce page
• http//scd.das.state.or.us/AR/BITS.htm
• SCD internal controls and risk assessment page
• http//scd.das.state.or.us/risk_assesment.htm