Financial Aspects of Network Security: Malware and Spam ITU-T Study Group 3
advertisement
Financial Aspects of Network Security: Malware and Spam ITU-T Study Group 3 Geneva, Switzerland 2 April 2008 Johannes M. Bauer*, Michel van Eeten**, Tithi Chattopadhyay* Please send comments to: ITU-D ICT Applications and Cybersecurity Division <cybmail@itu.int> * Michigan State University, USA, ** Delft University of Technology, Netherlands International Telecommunication Union The views expressed in this presentation are those of the author and do not necessarily reflect the opinions of the ITU or its Membership. Objectives of report Malware and spam have far-reaching, direct and indirect, financial effects ¾ ¾ ¾ ¾ Costs for individuals, organizations, nations Revenues for legal but also illegal players Direct costs probably 0.2-0.4% of global GDP Including indirect effects could be as high as 0.5-1% of global GDP Available information is incomplete and potentially biased by stakeholder interests The report aims at documenting the state of knowledge of these financial aspects April 2008 2 Overview Malware and spam developments A framework for analyzing financial flows related to malware/spam Main empirical findings A preliminary welfare assessment Appendix: the malware/spam underground economy April 2008 3 Malware and spam developments April 2008 4 Background Payoffs of fraudulent and criminal activity are high and have brought organized crime to malware and spam Division of labor and specialization has increased sophistication and virulence of threats from fraudsters and criminals Security decisions of some players within the ICT value net do not fully reflect social costs and benefits and only sub-optimally mitigate external threats April 2008 5 Division of labor Malware Writer Sells credit cards with identities Seller Malware Credit Card Abuser Drop Service Uses Services Buys Goods Sells Malware Malware Distributor Guarantee Service Uses Services Identity Collector Sells Identities Buys Drop Site Template eShops Sells Malware Ships Goods Drop Botnet Owner Drop Drop Uses Services Forward Goods Spammers Uses Services Reseller Drop Site Developers Source: MessageLabs, 2007 April 2008 6 Visibility vs. malicious intent Source: www.govcert.nl April 2008 Time 7 Malware attack trends websites as infected 50000 0 2006 RiskWare Postini reports 10% of 100000 AdWare ¾ 30% of computers on Internet infected ¾ About 50% active 150000 MalWare As of 3/2008 (Panda) 200000 VirWare ¾ Trojans, rootkits slowing toward end of 2007 ¾ Worms, viruses, AdWare and other accelerating 250000 TrojWare Overall increases Monthly growth 2007 Source: Kaspersky Labs, 2008 April 2008 8 Spam trends 1600 1400 267 268 204 189 Different metrics “Abusive” messages 1200 1000 800 600 1210 1221 1178 Q3-06 Q4-06 Q1-07 1230 400 200 0 Abusive Q2-07 Unaltered Source: MAAWG 2007 April 2008 (MAAWG) MessageLabs new and old spam Symantec Fairly consistent numbers (85-90% of total messages) Spamhaus Project (IP addresses) 9 Geography of spam 50 60 2006 45 50 2007 40 35 40 30 25 30 20 20 15 10 10 5 % Internet spam % Internet mail south america north america europe australia/oceania asia south america north america europe australia/oceania asia africa % Internet mail africa 0 0 % Internet spam Source: Symantec, 2007, 2008 April 2008 10 Financial aspects of malware and spam April 2008 11 Selected financial flows Hardware, Software 4 7 Business users 8 5 6 Security service providers 9 Individual users 10 12 11 ISPs 3 13 1 2 Legal Fraudsters, Criminals Society at large Potentially illegal Government April 2008 12 Direct and indirect cost Direct cost such as ¾ losses from fraudulent and criminal activity ¾ cost of preventative measures (e.g., security software and hardware, personnel training) ¾ cost of infrastructure adaptation (network capacity, routers, filters, …) Indirect cost such as ¾ cost of service outages ¾ cost of law enforcement ¾ opportunity cost to society (lack of trust) April 2008 13 Legal and illegal revenues Legal business activities ¾ Security software and services ¾ Infrastructure equipment and bandwidth Illegal business activities ¾ Writing of malicious code ¾ Renting of botnets ¾ Profits from pump and dump stock schemes ¾ Commission on spam-induced sales ¾ Money laundering (illegally acquired goods) April 2008 14 Main empirical findings April 2008 15 Cost of malware Worldwide direct damage in 2006: $13.2 bn (Computer Economics survey of 52 IT professionals) ¾ Decline from $17.5 bn in 2004 ¾ Effects of anti-malware efforts and shift from direct to indirect costs U.S. Federal Bureau of Investigation estimated cost of computer crime to U.S. economy in 2005 to $67.2 bn No estimates of indirect and of opportunity costs available April 2008 16 Direct losses to U.S. business Average cost per reporting firm (in 000 $) 3500 Surveys of Computer Security Institute (CSI) members since 1996 In 2007, 494 3000 respondents of which 194 provided damage estimates 2500 2000 1500 1000 Leading categories: 500 ¾ financial fraud 0 1999 2000 2001 2002 2003 2004 2005 2006 2007 ¾ damage by viruses, worms, spyware ¾ System intrusion Source: CSI, 2007 April 2008 Incomplete picture 17 Cost of preventative measures Percentage of IT budget spent on security (2007 CSI Report) ¾ 35% of respondents: <3% of IT budget ¾ 26% or respondents: 3-5% of IT budget ¾ 27% of respondents: >5% of IT budget 2006 global revenue of security providers estimated to $7.5 bn (Gartner 2007) TU Delft/Quello Center study: 6-10% of IT budget dedicated to security April 2008 18 Cost of spam Global cost of spam in 2007: $100 bn, of which US$ 35 U.S. (Ferris Research) Cost of spam management to U.S. businesses in 2007: $71 bn (Nucleus Research) Cost of click fraud in 2007: $1 bn (Click Forensics) Cost to U.S. consumers in 2007: $7.1 bn (Consumer Reports) April 2008 19 A preliminary welfare assessment April 2008 20 Determining welfare effects Complicated by the legal and illegal revenues associated with cybercrime Costs of malware and spam ¾ Direct costs (damages, prevention, …) ¾ Indirect costs (law enforcement, trust, …) Economic “bads” (e.g., part of security investment), not welfare-enhancing Treatment of illegal transactions (estimated to total $105 bn)? April 2008 21 Scaling overall effects Costs of malware and spam ¾ Most reliable information at country level; how to scale to global level/ ¾ Avoidance of double-counting ¾ Global direct costs probably in 0.2-0.4% range of global GDP ($66 tr) ¾ Direct and indirect costs could be as high as 0.5-1% of global GDP Probably differential effects on national productivity and growth April 2008 22 Appendix The malware/spam underground economy April 2008 23 Malware/spam Players in the underground economy include ¾ Malware writers and distributors (trojans, spyware, keyloggers, adware, riskware, …) ¾ Spammers, botnet owners, drops ¾ Various middlemen Emergence of institutional arrangements to enhance “trust” (e.g., SLAs, warranties) Steady stream of new attacks (e.g., drive-by pharming, targeted spam, MP3 spam, …) April 2008 24 Software vendors Security providers App/Si App/Sj App/Sk Usersi ISPi ISPj ISPk Governance Hardware vendors April 2008 Usersj Usersk Fraudulent and criminal activity Fraudulent and criminal activity Interdependent value net 25 Efficient & inefficient decisions Instances where incentives of players are well aligned to optimize costs to society ¾ ISPs correct security problems caused by end users as well as some generated by other ISPs ¾ Financial service providers correct security problems of end users and software vendors ¾ Negative reputation effects of poor security disciplines software vendors, ISPs, and other stakeholders Instances where incentives are poorly aligned ¾ Individual users (lack of information, skills, …) ¾ Domain name governance/administration system April 2008 26 More Information: ITU Development Sector ITU-D ICT Applications and Cybersecurity Division ¾ www.itu.int/itu-d/cyb/ ITU-D Cybersecurity Activities ¾ www.itu.int/itu-d/cyb/cybersecurity/ Study Group Q.22/1: Report On Best Practices For A National Approach To Cybersecurity: A Management Framework For Organizing National Cybersecurity Efforts ¾ www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-draft-cybersecurityframework.pdf National Cybersecurity/CIIP Self-Assessment Toolkit ¾ www.itu.int/ITU-D/cyb/cybersecurity/projects/readiness.html ITU-D Cybersecurity Work Programme to Assist Developing Countries: Regional Cybersecurity Forums • www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-cybersecurity-workprogramme-developing-countries.pdf ¾ www.itu.int/ITU-D/cyb/events/ Botnet Mitigation Toolkit ¾ http://www.itu.int/ITU-D/cyb/cybersecurity/projects/botnet.html April 2008 27 More Information: ITU Standardization Sector ITU-T Study Group 17 – Lead Study Group on Telecommunication Security ¾ www.itu.int/ITU-T/studygroups/com17/index.asp Question 17/17 - Countering spam by technical means ¾ www.itu.int/ITU-T/studygroups/com17/sg17-q17.html Recommendations for approval on 18 April 2008: • X.1231 - Technical strategies on countering spam • X.1240 - Technologies involved in countering email spam • X.1241 - Technical framework for countering email spam April 2008 28 International Telecommunication Union Helping the World Communicate April 2008 29
