2007 E-Crime Watch Survey
• Press Release
Framingham, MA—Sept. 11, 2007—CSO Magazine today releases results of the 2007 E‐Crime Watch Survey. This year's study revealed that while security events and electronic crimes were steady against last year's findings, there are real concerns that security executives may be becoming over confident.
Conducted with the U.S. Secret Service, Carnegie Mellon University Software Engineering Institute's CERT® Program and Microsoft Corp., the fourth annual survey polled 671 security executives and law enforcement officials on a variety of security topics, including commitment to security, the source of e‐crimes, the top e‐crimes professionals are experiencing, methods of attack, security technologies being deployed to defend against attacks, and the legal steps organizations are taking after they've been attacked.
"There is little doubt that organizations have learned a tremendous amount about security in the last five years and are making serious headway in understanding and combating threat," said Bob Bragdon, publisher of CSO Magazine. "At the same time, we saw signs in this study that organizations think they have things handled, which is concerning given the recent rise in targeted, financially motivated attacks."
A key indication of the study was that while 57% of participants said they are increasingly concerned about the potential effects of e‐crime, and 49% of them reported experiencing an e‐crime in 2006 vs. 38% the prior year, other responses suggested they are not prioritizing security as much as they have in previous years. For example, 69% of respondents said they are more prepared to deal with those threats than they have been in the past, yet these same organizations said they've trimmed spending on IT security by 5% and corporate security by 15%.
"You should never let down your guard when it comes to cybersecurity," said Jeff Jones, director of Trustworthy Computing for Microsoft. "Crime is a fact of life in the digital world just as it is in the physical world; even with the best security posture, you must still steadily guard against potential threat."
The Source of Crimes: Insiders, Outsiders and the Unknown
Part of guarding against threat is understanding its source, and so the survey posed several questions to compare cybercrimes by insiders and outsiders.
When asked who caused more damage (in terms of cost or operations), results were fairly close (insiders 34%, outsiders 37%, unknown 29%). But by their actions, participants indicated they may not be giving as much attention to insider threats as would seem justified. For example, background checks dropped from use in 73% of the organizations last year to only 57% this year, account/ password management policies dropped from 91% of the organizations last year to 84% this year, employee monitoring from 59% to 42%, and employee security awareness training from 68% last year to 38% this year.
"It is important that organizations are proactive in their approach to mitigating insider threats," says Dawn Cappelli, Senior Member of the Technical Staff at CERT. "Defense-in-depth isn't just about putting adequate technology in place, it's also about paying attention to your people and implementing policies and procedures to reduce the likelihood of an insider attack. Our research has shown that those very policies and practices that respondents are cutting back on are critical in mitigating insider threats."
The potential for damage from an insider attack is clear. Three of the top four e-crimes experienced this year were widespread attacks not targeted at an individual organization; insider attacks, on the other hand, were targeted at their organization. Survey results show that most insiders targeted proprietary information, including intellectual property, customer and financial information. Indeed, unauthorized access to/use of corporate information, systems or networks was the most common insider e-crime (experienced by 27% of respondents who experienced e-crime). Theft of intellectual property was the second most common e-crime (24%), theft of other information (including financial and customer records) was #3 (23%) and fraud (credit card, etc.) was #4 (19%).
Also of note was a shift in the methods being used by insiders to commit e-crimes. The use of social engineering techniques (gaining access through manipulation of a person or persons who can permit or facilitate access to a system or data) jumped to become the #1 method (45% v. 38% last year) followed by individuals using compromised accounts (39%), copying information to mobile devices like USB drives or iPods (36%), and use of their own account (35%). The use of sophisticated technologies like password crackers or sniffers jumped from being used by insiders in 17% of the organizations last year to 31% this year.
The survey found no major changes in e-crimes being perpetrated by outsiders, although there were marked jumps in the illegal generation of SPAM email (53% vs. 40% last year) and phishing attacks (46% vs. 31% last year). The top five e-crimes perpetrated by outsiders were: virus, worms or other malicious code (experienced by 74% of respondents), unauthorized access to/ use of information, systems or networks (experienced by 55%), illegal generation of SPAM email (experienced by 53%), spyware (not including adware - experienced by 52%), denial of service attacks (experienced by 49%), and phishing (experienced by 46%).
Electronic Crime Trends:
Of some concern is that most e-crimes, whether perpetrated by an insider or an outsider, are handled internally without involving legal action or law enforcement (67% for insiders, 66% for outsiders.) Given the growth in the number of crimes involving the theft of personally identifiable information, and the breach notification laws that have been passed, it is concerning to see that organizations continue to handle so many cases within their own walls. When asked why they had not referred these e-crimes for legal action, respondents echoed last year’s findings that either the damage level was insufficient to warrant prosecution (40%), there was a lack of evidence (34%), or that they could not identify the individuals responsible (28%).
Best Practices in Preventing Electronic Crimes:
The survey found that the most effective technologies were: Statefull firewalls (maintaining its position as #1 at 82%), access controls (new to this year’s survey at 79%), electronic access controls (78%), application layer firewalls (72%), and host-based anti-virus (70%). The least effective technologies were: manual patch management, surveillance, password complexity, badging, and RBL-based SPAM filtering.
These results show high levels of confidence in traditional perimeter technologies. But these all have limited effectiveness - enterprise perimeters are no longer clearly defined and the respondents' reliance upon traditional perimeter technologies may leave them exposed to attacks that bypass the perimeter.
On the other hand, the survey found that organizations are relying upon processes and policies to secure against insider threats. Inappropriate use policies and segregation of duties, tools that have always been available to management, are finding increased acceptance as effective means to ensure compliance and supplement technological means of securing information assets.
About the 2007 E-Crime Watch Survey
The 2007 e-Crime Watch survey was conducted by CSO magazine in cooperation with the U.S. Secret Service, Carnegie Mellon University Software Engineering Institute’s CERT® Program and Microsoft Corp. The survey was deployed July 26, 2007, through August 13, 2007. An email invitation containing a link to the survey was sent to 15,000 CSO magazine readers and members of the US Secret Service's Electronic Crime Task Forces, yielding 671 respondents. Margin of error is +/- 3.79 percent. Respondent answers cover the period between July 2006 and June 2007.
NOTE TO EDITORS: Complete results are available here. Any references to the data from the 2007 E-Crime Watch survey must be sourced as originating from the following: CSO magazine, U.S. Secret Service, CERT® Program, Microsoft Corp.
1. Security Event: An adverse event that threatens some aspect of computer security. Note: For the purposes of this survey, Security Events do NOT include: receipt of spam; phishing emails sent to employees; virus-carrying emails or routine network and port scanning activity that are blocked by standard perimeter defenses; discovery of vulnerabilities in packaged software.
Events DO include (but are not limited to):
- Actual virus infections (a single outbreak affecting multiple machines is one “Event”) or worms or denial-of-service attacks that affect system performance/availability.
- Anomalous Internet/network activity that appears targeted specifically at your organization, including successful or unsuccessful targeted hacks/exploits.
- Loss or theft of backup tapes, laptops with sensitive data, mobile devices with sensitive data or other inadvertent exposure of data.
2. Electronic Crime (eCrime): A crime (an illegal act) that is carried out using a computer or electronic media. Intrusion: An incident in which an organization’s computing systems are compromised by an unauthorized individual or individuals.
3. Insider: Current or former: employee, service provider or contractor. Outsider: Someone who has never had authorized access to an organization’s systems or networks.
About CSO Magazine
Launched in 2002, CSO magazine, its companion website (www.CSOonline.com) and the CSO Perspectives™ conference provide chief security officers (CSOs) with analysis and insight on security trends and a keen understanding of how to develop successful strategies to secure all business assets—from people to information and financial value to physical infrastructure. The magazine is read by 27,000 security leaders from the private and public sectors. The U.S. edition of the magazine and website are the recipients of 80 awards to date, including the American Society of Business Publication Editor's Magazine of the Year award as well as eleven Jesse H. Neal National Business Journalism Awards. Licensed editions of CSO magazine are published in Australia, France, Poland and Sweden. The CSO Perspectives™ conference, the first face-to-face conference designed for CSOs and featuring speakers from the national stage and the CSO community, offers educational and networking opportunities for pre-qualified corporate and government security executives. In addition, CSO magazine produces a series of one-day events on privacy and data assurance. CSO magazine, CSOonline.com and the CSO Perspectives conference are produced by International Data Group's award-winning business unit: CXO Media Inc.
The CERT® Program is located at Carnegie Mellon University’s Software Engineering Institute (SEI) in Pittsburgh, Pennsylvania, U.S.A. The SEI is a federally funded research and development center sponsored by the U.S. Department of Defense. Home to the CERT Coordination Center, CERT's primary goals are to ensure that appropriate technology and systems management practices are used to resist attacks on networked systems and to limit and ensure survivability - the continuity of critical services - in spite of successful attacks, accidents, or failures.
About the Secret Service's Electronic Crimes Task Forces (ECTF)
The USA PATRIOT ACT OF 2001 (HR 3162, 107th Congress, First Session, October 26, 2001, Public Law 107-56) mandated the United States Secret Service to develop a national network of electronic crime task forces, based on the New York Electronic Crimes Task Force model, throughout the United States for the purpose of preventing, detecting and investigating various forms of electronic crimes, including potential terrorist attacks against critical infrastructure and financial payment systems.
The ECTF mission is to establish a strategic alliance of federal, state and local law enforcement agencies, private sector technical experts, prosecutors, academic institutions and private industry in order to confront and suppress technology-based criminal activity that endangers the integrity of the nation's financial payments systems and poses threats against the nation's critical infrastructure. The ECTF model is built on trust and confidentiality without regulators or other outside influences. ECTF law enforcement members develop personal pre-incident relationships with corporate and academic ECTF members and are educated in business concepts such as risk management, return on investment and business continuity plans. As trained first responders to various forms of electronic crimes, ECTF law enforcement members approach incidents with the focus on business designs and information sharing with known corporate and academic individuals. Currently, 24 ECTFs are proving successful in Atlanta, GA; Baltimore, MD; Birmingham, AL; Boston, MA; Buffalo, NY; Charlotte, NC; Chicago, IL; Cleveland, OH; Columbia, SC; Dallas, TX; Houston, TX; Las Vegas, NV; Los Angeles, CA; Louisville, KY; Miami, FL; Minneapolis, MN; New York, NY / Newark, NJ; Oklahoma City, OK; Orlando, FL; Philadelphia, PA; Pittsburgh, PA; San Francisco, CA; Seattle, WA; and Washington, DC. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Software Engineering Institute CERT Program
U.S. Secret Service
Office of Public Affairs