2005 FBI Computer Crime Survey
The 2005 FBI Computer Crime Survey addresses one of the highest priorities in the
Federal Bureau of Investigation. These survey results are based on the responses of
2066 organizations. The purpose of this survey is to gain an accurate understanding
of what computer security incidents are being experienced by the full spectrum of
sizes and types of organizations within the United States. The 23-question survey
addressed a wide variety of issues including: computer security technologies used,
security incident types, and actions taken, as well as emerging technologies and trends
such as wireless and biometrics. The survey was conducted in four states including
Iowa, Nebraska, New York, and Texas and was performed by the corresponding FBI
offices in those areas. The survey was conducted in such a way that recipients could
respond anonymously.
This survey is not to be confused with the CSI/FBI Computer Crime and Security
Survey, which has been conducted for several years, and has a somewhat different
focus, method, and restricted number of respondents.
KEY FINDINGS:
• There are a variety of computer security technologies that organizations are increasingly investing
in to combat the relentless, evolving, sophisticated threats, both internal and external. Despite
these efforts, well over 5,000 computer security incidents were reported with 87% of respondents
experiencing some type of incident.
• In many of the responding organizations, a common theme of frustration existed with the nonstop
barrage of viruses, Trojans, worms, and spyware.
• Although the usage of antivirus, antispyware, firewalls, and antispam software is almost
universal among the survey respondents, many computer security threats came from within the
organizations.
• Of the intrusion attempts that appeared to have come from outside the organizations, the most
common countries of origin appeared to be United States, China, Nigeria, Korea, Germany,
Russia, and Romania.
• An overwhelming 91% of organizations that reported computer security incidents to law
enforcement were satisfied with the response of law enforcement.
• Almost 90% of respondents were not familiar with the InfraGard (www.infragard.net) organization
that is a joint effort by the FBI and industry to educate and share information related to threats to
U.S. infrastructure.
• The survey respondents were very interested in being better informed on how to prevent computer
crimes. Over 75% of respondents voiced a desire to attend an informational session hosted by
their local FBI office.
DETAILED FINDINGS:
About the Questions:
The 2005 FBI Computer Crime Survey is unique in that the questions were compiled based on input
from a large number and variety of organizations. Input for the questions was provided by both a large
number of Special Agent computer intrusion investigators, supervisors, and Investigative Analysts
within the FBI, as well as a variety of computer security professionals within the computer security
and digital forensics communities. For the purposes of this survey, Computer Security Incident is
defined as: Any real or suspected adverse event in relation to the security of computer systems or
computer networks.
About the Recipients/Respondents:
Approximately 24,000 organizations received the 2005 FBI Computer Crime Survey. These recipients
were from 430 different cities (with populations ranging from less than 1,000 to New York City, with a
population of more than 8 million) from four states: Iowa, Nebraska, New York and Texas.
About The Methodology:
A letter was mailed to the recipients in mid June 2005. The following criteria were used to select the
organizations which were provided by a list broker as well as other sources:
1. Organizations that had been in existence for three or more years.
2. Organizations that had five or more employees.
3. Organizations that fell within the geographic area requested
(those 400+ cities covered by the FBI offices that participated).
4. Organizations that had $1,000,000 or more in annual revenue.
Organizations had to meet all four of these criteria in order to be selected. The letter was sent
from the FBI and gave a brief description of the 2005 FBI Computer Crime Survey project. The
letter conveyed the anonymous nature of the survey and directed recipients to a web address as
well as provided a userid and password. Recipients had approximately five weeks to complete the
survey. They were also given the option to request a written version although less than 1% did. 2066
individuals completed the survey. No reminders were sent.
Question 1: In what general
area is your organization located?
While responses from the survey came from
several hundred different cities, there were a
small number of primarily urban areas that made
up the vast majority of respondents. Over 90% of
the survey recipients were in the Austin, Houston,
New York City, Iowa, Nebraska, and San Antonio
metro areas. The Houston territory, which
covers 40 counties, had the highest number of
respondents with 762 while the Iowa/Nebraska
territory had the highest percentage survey
response with almost 13%.
Question 2: What industry best describes your organization?
There are many ways in which organizations and businesses are categorized. Nineteen different categories were offered
as well as an ‘Other’ category. While responses were received from every one of the categories, Financial (14%), Medical
(11%), and Professional (9%) had the highest number of respondents.
Question 3: How many
employees does your organization have?
The survey respondents came from organizations
from a broad size range from less than ten
employees to well over 10,000 employees.
The majority were, however, from with small to
midsize organizations with over 51% coming from
organizations from 10 – 99 employees.
Question 4: What best
describes your title?
The job title of the respondents indicated that
they were well qualified to answer the survey’s
questions. The largest group is ‘IT Managers’
(28%) with ‘System Administrators’ making up
another 21%. Most small organizations would not
have a Chief Security Officer or Chief Information
Security Officer. This would account for only 2%
of respondents indicating CSO/CISO instead of
the more general IT related titles.
Question 5: What level of
gross income does your organization have?
As expected, the largest gross income category
by far was the ‘Under $5,000,000’ (46%) with
the $10,000,000 - $99,000,000 category being a
distant 2nd at 16%. Over 2% of respondents come
from organizations with over a billion dollars of gross income. Question 6: Security technologies used by your organization: (select all that apply) There was a large variety of security technologies being used among respondents. Usage of Antivirus software was almost universal with 98%. Firewalls were close behind with over 90% either using software or hardware firewalls. Operating system safeguards, such as limits on which users could install software, password complexity requirements, and periodic password changes were used by about half of respondents. Virtual Private Networks (VPNs) proved to be a popular means of achieving security with a 46% response. Advanced techniques such as biometrics (4%) and smartcards (7%) were implemented infrequently; however, it is anticipated that these numbers may increase in future surveys. Organizations used on average 7.8 of the security methods listed. Interestingly, having more security measures did not mean a reduction in attacks. In fact there was a significantly positive correlation between the number of security measures employed and the number of Denial of Service (DoS) attacks. It is likely that organizations that are attractive targets of attacks are also most likely to both experience attack attempts and to employ more aggressive computer security measures. Also, organizations employing more technologies would likely be better able to be aware of computer security incidents aimed at their organizations. Question 7: Which types of computer security incidents has your
organization detected within the last 12 months? (select all that apply) Further analysis of the responses to this question indicate that the vast majority of respondents (87%) experienced some type of computer security incident. The average responding organization experienced several (2.75) different types of computer security incidents with each type potentially occurring multiple times (such as viruses and port scans) to an organization. Over 79% had been affected by spyware and not surprisingly almost 84% had been affected by a virus attack at least one time within the last 12 months, despite the almost universal usage of Antivirus software mentioned in the previous question. Port scans being at only 33% is a strong indicator that many respondents are not detecting the almost unavoidable port scans most networks experience. This may imply that even the 5,389 reported computer security incident types indicated by individual organizations may be significantly lower than the actual number. As expected, adult pornography was fairly high on the list of incident types at number five (395 responses) out of fifteen, with over 22% of organizations dealing with this issue. Although adult pornography is not illegal as child pornography is, it is against the policy of most organizations. New York had the lowest percentage of organizations experiencing unauthorized access, but the highest percentage of experiencing insider abuse, laptop theft, telecom fraud, viruses, and website defacement. Austin, being the most high tech area surveyed, was home to the organizations most likely (over 91%) to have at least one type of computer security incident. Question 8: How many computer
security incidents has your organization had within the last 12 months? As indicated in the previous question’s results, 87% of respondents experienced a computer security incident with only 277 implying that they did not have such an issue. Just over half of the responders to this question indicated that they had experience 1-4 incidents. Almost 20% of responses to this question indicated that they had experienced 20 or more such incidents. Large organizations (with gross income greater than one billion dollars) were more than twice as likely to be in the ’20 or more attacks’ category (45.5% of these larger organizations, compared to 19.2% of overall respondents). 40% of education and state government organizations had 20 or more incidents. Question 9: Has your organization
experienced unauthorized access to computer systems within the last 12 months? The broad definition of ‘computer security incident’ (see the ‘About the Questions’ section) leads to a large number of victims in questions seven and eight. In question nine, the more restrictive category of organizations that experienced ‘unauthorized access’ to computer systems (this would not include viruses and port scans for example) is understandably smaller, but still significant. While an average of 13% knew that they experienced unauthorized access to their systems, 44% of educational, 31% of federal government, and 25% of transportation had experienced unauthorized access. An additional 24% stated that they did not know whether they had experienced such unauthorized access. This underscores the difficulty of organizations in having the expertise and resources to be aware of computer intrusions, much less guard against or prevent such breaches. 63% indicated that they had not had unauthorized access. Question 10: How many unauthorized
access incidents were from within your organization? Over 44% of respondents to this question had experienced intrusions from within their organization. This is a strong indicator that internal controls are extremely important and should not be under emphasized while concentrating efforts on deterring outside hackers. (It should be noted that some of the 232 respondents mentioned above could have been aware of computer security incidents originating from both within the organization as well as other such incidents originating outside the organization. Only respondents who answered ‘Yes’ to question 9 were tabulated for questions 10 and 11.) Question 11: How many
unauthorized access incidents were from outside your organization? Overall, there were over twice as many unauthorized access incidents coming from outside the organization than there were from within, which underlines the importance of Intrusion Prevention/Detection Systems as well as firewalls, logs, password complexity, and other technology and physical security measures. 25% that said in question nine that they had experience unauthorized access believed that they had been intruded upon from both inside and outside their organization. Question 12: What country was the most common source of the
intrusion attempts against your organization? Question twelve drilled even deeper by trying to identify which countries were the most common source of the intrusion attempts. A surprising 53% of those organizations that had in the previous question identified an intrusion as coming from outside their organization also identified the country of origin. While 36 countries appear on the list, seven of the countries appeared to be the source for 75% of the intrusions. Two of the countries, USA and China, seem to be the source of over 50% of the intrusions. Difficulty tracking IP addresses and prosecution in China combined with other economic, military, and political concerns make this an unusually troubling statistic, especially when considering the potential impact of industrial espionage and state sponsored cyber warfare efforts. Organizations with higher revenue (greater than $5 million) were more than twice as likely to identify China as the source of the intrusion attempt. The number of positive responses to this question (176) is low enough that it is difficult to identify statistically significant trends with a high degree of probability. Evidence of an intrusion that indicates a particular country may not be conclusive since computer hackers often use proxies and Trojanized computers in other countries to mask their identity and make detection difficult. An example of this type of stepping-stone attack would be a Romanian hacker that uses a proxy computer in China to access a compromised computer in the United States. This U.S. based computer would then be used to perform the computer intrusion. Those investigating the incident may falsely conclude that the source was within the United States. Question 13: What approximate dollar cost would you assign to the following types of incidents
within the last 12 months? (business lost, consultant time, employee hours spent, ...). While the vast majority of respondents were on the low end of each of the eleven categories as far as dollar loss, the financial impact is still very significant. The virus, worm, and Trojan category was over three times larger than any other category with almost $12,000,000 in losses. Simple laptop/PDA theft was the second highest category of financial loss with over $3,000,000. In this question we can see that: - 1324 (75.1%) of the 1762 organizations incurred a financial loss because of computer security incidents. - This would indicate that 64.1% of the 2066 survey respondents incurred a financial loss. - The average cost was over $24,000 each for the 1324 companies that indicated they did have a computer security incident. Let’s take a look at what the impact of computer intrusions might be in the entire U.S. as opposed to this sample of 2066 respondents. Conservative figures are intentionally used in the following extrapolation. While losses of approximately $32,000,000 are documented through this survey, the sample size is only one organization out of every 6292 across the U.S. (given an estimated 13,000,000 organizations). It is debatable whether 64.1% of the non-surveyed organizations would have experienced a financial loss from a computer security incident as is the case with those that responded. Some would argue that many of the organizations that responded did so because they had experienced a loss and were sensitized to the issue of computer security. Others might argue 64.1% is too low because as companies have been shown to be hesitant to report their crime, the same organizations would be hesitant to complete a computer crime survey in which they are asked about facts surrounding the intrusion. That being said, in an effort to be conservative, if the percentage of victims were 20% instead of 64.1% among those that did not receive a survey, this would be 2.8 million U.S. organizations experiencing at least one computer security incident with each of these 2.8 million organizations incurring a $24,000 average loss. This would total $67.2 billion per year or $7.6 million per hour. This figure is more than 1/2% of the entire U.S. Gross Domestic Product. While the loss figures are rough approximations, they are very conservative, assuming that non-survey respondents were only one third as likely to have experienced a financial loss. This clearly brings to light the high cost of computer crime to individual organizations and the economy as a whole. These figures did not include much of the staff, technology, time, and software employed to prevent such incidents. These figures also do not begin to address the losses of individuals who are victims of computer crime (intrusions, identity theft, etc.) or computer crime victims in other countries.
|
|
|
|
|
Spam is not merely annoying: it is also a serious drain on the resources of ISPs, other organizations, and Internet users. Sending Spam mail may seem like a cheap and convenient way to amplify marketing efforts, yet honest businesses rarely employ this questionable marketing tool. Firstly, nobody wishes to receive unsolicited junk mail. Secondly, it is considered both an annoyance and an intrusion of privacy. Thirdly, each sent e-mail message contributes to Internet traffic and uses up bandwidth. An e-mail message does not reach its recipient instantaneously; instead, it is relayed by any number of systems en route until it reaches its final destination. Spam mail is often sent out in thousands or hundreds of thousands of copies, to huge numbers of unwitting recipients. This large load of messages often causes network problems and congestion, meaning that third parties as well as message recipients are suffering because some inconsiderate person or company has pumped half a million copies of a message through the Internet. Unfortunately, there are many such worthless members of society.
For more information on Spam, refer to the links at the end of this document for some excellent reviews of the problem.
|
|
|
|
|
|
|
|
|
This is a difficult issue. Spammers rarely use their regular e-mail addresses for the following reasons, among others:
Spammers therefore rely on anonymous e-mail addresses such as those available from free e-mail providers. Sometimes the addresses you see on Spam messages are invalid (faked). It is important to realize where the responsibility for Spam lies. Make no mistake: Spammers are often reasonably skilled frauds and thieves as well as highly annoying. Many Spammers have developed specific strategies of Spamming in order to avoid responsibility for their actions, or to avoid mail blocking and filtering:
|
|
|
|
|
|
|
|
|
Outblaze powers a large number of free e-mail Web sites, which unfortunately are the first place that Spammers choose to set up their Spam accounts. Outblaze technology prohibits users from sending mass mail, however Outblaze can do little about the drop box approach. Nor can Outblaze accept responsibility for spoofing, or Spammers who define a fake series of message headers to create the illusion that a message is coming from a particular site innocent of Spamming.
For example, user annoyingperson@unitedspam.com is sending out half a million messages a day in order to advertise his miserable pyramid scheme. His Spam messages, however, look as if they are coming from innocentfellow@outblaze-site.com, because the message headers have been falsified or the message has been spoofed.
|
|
|
|
|
|
|
|
|
The most important thing is to examine your full message headers to determine where the message really came from. The "From:" header that is commonly shown in basic message header displays can be easily faked! It is harder to fake the complete message header, which can provide useful information about the message. Outblaze technology allows users to see the full message headers of all e-mail messages.
Any users that are suspected of Spamming from an Outblaze site, or of using an Outblaze site for drop boxing or spoofing, should be reported immediately. We will investigate the user and take action if we determine that he/she is guilty.
You may contact abuse@outblaze.com, or the specific Powered by Outblaze Web site from which you received the junk mail.
Spoofing and drop boxing are usually beyond the absolute control and responsibility of Outblaze. Outblaze will do the utmost to prevent Spam, but we ask the recipients of junk mail to understand that very often Outblaze is not the originator of such messages, but one of the victims! The solutions to spoofing and drop boxing are complex and involve co-operation between a number of Web sites and ISPs. Refer to the links below for more information.
|
|
|
|
|
|
|
|
|
http://www.cauce.org -- the Coalition Against Unsolicited Commercial Email (CAUCE), one of the valiant organizations dedicated to fighting Spam. Includes information on Spam and how to prevent it. Lend your support to this worthy cause or one like it!
http://www.mail-abuse.org -- Mail Abuse Prevention System, a non-profit organization whose mission is to defend the Internet against Spammers. Take a look at their Realtime Blackhole List (RBL) information
http://www.efuse.com/Grow/postage_due.html -- Spam and the damage it causes
http://www.tincher.to/antispam.htm -- Comprehensive links and information on Spam
http://www.efuse.com/Grow/direct_email_marketing_.html -- Direct e-mail marketing tips
http://www.mail-abuse.org/rbl/manage.html -- Ethical management of mailing lists
http://www.cauce.org/about/resources.shtml -- Various resources on the Internet to help in the fight against Spam
Determining the origin of Spam http://combat.uxn.com/tracing.html -- Tracing Spam and reading message headers-- Who do I complain to?
http://www.pop-cram-spam.net/SMTP.htm -- reading message headers
http://netdemon.net/tutorials/whois.txt -- WHOIS, one of the most useful tools for tracking down a Spammer's location
http://samspade.org/ -- several useful tools available here
http://chickenboner.com/antispam/ -- how to analyse a spam message, what to do about it, and several useful links
http://www.spamfree.org/resources/header_reading.html -- Free resources from the Forum for Responsible and Ethical Email
http://home.att.net/~marjie1/ -- Dedicated to those with little or no experience in fighting against Internet Abuse
Spam complaint boilerplates
http://www.chebucto.ns.ca/~af380/boilerplates.links.html -- Offers boilerplates for categories of Spam, so you don't have to write a whole new message every time you report abuse to an ISP or Web site
|
