I. A serious issue
Internet fraud
Every new technology is used for age-old dishonest money-making techniques. The National Consumers League Internet fraud watch estimated the cost of Internet fraud in 2001 in the US at 4,4 M$, up from 3,4 M$ in 2000. Here is how they broke it up :| Top 6 | 2001 | Trend |
| On-line auctions | 63% | — |
| General merchandise sale | 11% | - |
| Nigerian money offers | 9% | + |
| Internet access services | 3% | = |
| Information adult services | 3% | + |
| Work-at-home | 2% | = |
Intellectual Property thief
Information is a good that is difficult to protect and sell at the same time. This lead to a new kind of issues related to intellectual property.The value of pirated software has been estimated between 3 bn $ (US, 2001 BSA) to 11 bn $ (worldwide, 1997 IPRC study). This is not accounting for multimedia (music and movies) piracy, clothes and other luxury goods.
There are big differences between countries. For example, it is estimated that only 25% of software in USA is illegally acquired, versus 95% in China.
Code red
This famous worm exploits a buffer overflow in MS IIS. It was released on June 18th, 2001.Worm attacked various websites on July 12th and displayed the "Hacked by Chinese" message. The attack on white house.gov was dodged by changing the IP address of that website.
A version 2 appeared on July 19th. It was still memory only but had an improved random infection list leading to infection of 359 000 machines in 14 hours.
- CodeRedII, August 4th : installs backdoor on disk
- No direct damage
- Limited collateral network disruption (CodeRedII reboots)
- About 1 000 000 infections
More on the Red analysis can be found at CAIDA, including an animation showing its propagation speed.
Nimda
Nimda has been called a blended threat because it blends several propagation modes :- MIME exploit by email (opening or previewing)
- Embed itself in HTML pages + MIME exploit
- Exploits MS IIS bug ``Unicode Web Traversal’’
- Use CodeRed II backdoor
- Use network shares
However, Nimda real-world impact has been limited.
- Network shares open to guest with Administrator rights
- Collateral : Localized bandwidth DOS
- No net-wide effect visible on September 18th
- Two days after start : +2% unavailability (content error in web page), -20% web speed
Critical infrastructures attack : Over-hyped
Industrial supply chains, power, telcos, ATC... vulnerable BUT :Hackers have not shown the intent
Terrorists lack capability
US Computer Network Defense (non DOD)
NIPC - National Infrastructure Protection CenterISAC - Information Sharing and Analysis Center : private, economic sector
Update (3/3/03) : Now everything is under the umbrella of the Department of Homeland Security’s Information Analysis and Infrastructure Protection (sIAIP) Directorate.
caMuch remain to be done at the international level
II. Managing the risk within the institution
Evaluating the cost of an incident
Tangibles- Lost business due to resource unavailability
- Productivity loss for all staff while systems degraded
- IT staff labor and material to plug the leak
- IT & legal staff : forensic analysis & prosecution
- Public relation consulting & answering consumers
- Increases in insurance premium
- Liability suits
- Customers’ loss of trust in the organization
- Failure to win new accounts due to bad press
- Competitor’s access to confidential or proprietary info
What is the order of magnitude of the cost of an incident ?
In an 1998 incident, the shutdown of the main data center for a day at a PC wholesaler (Ingram Micro) resulted in lost sales and repairs estimated to $ 3.2 millionHere is another scenario, involving Code Red on 50 servers of a mobile phone corporation with 16000 people and 500 Internet-facing devices :
- 120 hours sysadmin = $ 4,179
- 2 weeks of Marketing and communication, Business development, Customer service = $ 8,000
- Travel expenses = $ 20,000
- 40 annual subscribers lost = $ 24,000
- External security audit with penetration testing = $ 50,000
- 5% business loss for two weeks = $200,000
Information Security from a business perspective
Expected risk = probability x cost of incidentNo budget can remove all risk
Security measures cost money. Incidents cost money.
Balanced choices requires knowledge. Visit the SANS Institute information security reading room to get some more.
Addressing risk
- Too high risk, no good countermeasures —> eliminate the asset
- If possible, mitigate the risk
- Accept the risk as normal business cost
- Transfer the risk by insuring the asset
Hacker insurance
New industry : Lloyd’s started in 2000Partnership between insurance and security companies
Pricing : corp. with revenue < 1 G$ can expect to pay 25-125 K$ premium for 25 M$ coverage.
III. Surveys on national cyber security
Security is a Public Good
There is motive for public intervention in providing security because :- Everybody benefit uniformly from threat reduction
- Ex-post public prosecution the ultimate security barrier
But many problems remain : it is an international network, fast technical change, increasing systems complexity, vendors unliability
There is media hype...
Michael Erbschloe (Computer Economics) says :| Year | Code name | Worldwide impact (USD) |
| 2001 | Nimda | 635 M$ |
| 2001 | Code Red(s) | 2.62 G$ |
| 2001 | SirCam | 1.15 G$ |
| 2000 | ILOVEYOU | 8.75 G$ |
| 1999 | Melissa | 1.10 G$ |
| 1999 | Explorer | 1.02 G$ |
About these numbers, Rob Rosenberger (vMyths) says : ``No one else will prostitute the dollar figures reporters and antivirus vendors so desperately crave’’
... and there are serious security surveys
Such as :- The Computer Security Institute, home of the CSI/FBI survey
- The UK Communications
and Information Industries Directorate security survey are available in for dowloading.
- Sampling bias : who did you ask ?
- Self-selection bias : who replied ?
- Cognitive bias : replies are best estimates, memories
- Others : questionnaire language, presentation
Conclusions
Insecurity costs are significant, not measurable at the national scale yet, but you should be able to evaluate some tangible and intangible costs of incidents.The take-home message is at the institutional level :
=
Probability x Cost of incident
