Financial Aspects of Network Security: Malware and Spam ITU Regional Cybersecurity Forum
advertisement
Committed to Connecting the World Financial Aspects of Network Security: Malware and Spam ITU Regional Cybersecurity Forum for Europe and CIS Sofia, Bulgaria 7-9 October 2008 Johannes M. Bauer* Michel van Eeten**, Tithi Chattopadhyay* * Michigan State University, USA, ** Delft University of Technology, Netherlands International Telecommunication Union www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-study-financial-aspects-of-malware-and-spam.pdf Committed to Connecting the World Objectives of report Malware and spam have multifaceted and farreaching, direct and indirect, financial effects ¾ ¾ ¾ ¾ Costs for individuals, organizations, nations Revenues for legal but also illegal players Direct costs could be as high as 0.2-0.4% of GDP Worst case scenario, including indirect effects, could be as high as 0.5-1% of global GDP Available information is incomplete and potentially biased by stakeholder interests The report aims at documenting the state of knowledge of these financial aspects October 2008 2 Committed to Connecting the World Overview Malware and spam developments A framework for analyzing financial flows related to malware/spam Synopsis of empirical findings A preliminary welfare assessment Appendix: the malware/spam underground economy October 2008 3 Committed to Connecting the World Malware and spam developments October 2008 4 Committed to Connecting the World Background Convergence of malware and spam Malware and spam are increasingly organized for financial gain Division of labor and specialization has increased sophistication and virulence of threats Inefficient security decisions of some players within the ICT value net (“externalities”) Many spillovers between market players, nations, and regions Æ global problem October 2008 5 Committed to Connecting the World Visibility vs. malicious intent Source: www.govcert.nl October 2008 Time 6 Committed to Connecting the World Division of labor Malware Writer Sells credit cards with identities Seller Malware Credit Card Abuser Drop Service Uses Services Buys Goods Sells Malware Malware Distributor Guarantee Service Uses Services Identity Collector Sells Identities Buys Drop Site Template eShops Sells Malware Ships Goods Drop Botnet Owner Drop Drop Uses Services Forward Goods Spammers Uses Services Reseller Drop Site Developers Source: Based on MessageLabs, 2007 October 2008 7 Committed to Connecting the World Malware attack trends websites as infected 50000 0 2006 RiskWare Postini reports 10% of 100000 AdWare ¾ 30% of computers on internet infected ¾ about 50% active 150000 MalWare As of 3/2008 (Panda) 200000 VirWare ¾ trojans, rootkits slowing toward end of 2007 ¾ worms, viruses, AdWare and other accelerating 250000 TrojWare Overall increases Monthly growth 2007 Source: Based on Kaspersky Labs, 2008 October 2008 8 Committed to Connecting the World Spam trends 1600 1400 268 267 204 189 Different metrics “Abusive” messages 1200 1000 800 600 1210 1221 1178 Q3-06 Q4-06 Q1-07 1230 400 200 0 Abusive Q2-07 Unaltered Source: MAAWG 2007 October 2008 (MAAWG) MessageLabs new and old spam Symantec Fairly consistent numbers (85-90% of total messages) Spamhaus Project (IP addresses) 9 Committed to Connecting the World Geography of spam 50 60 45 2006 50 2007 40 35 40 30 25 30 20 20 15 10 10 5 % Internet spam % Internet mail south america north america europe australia/oceania asia south america north america europe australia/oceania asia africa % Internet mail africa 0 0 % Internet spam Source: Symantec, 2007, 2008 October 2008 10 Committed to Connecting the World Financial aspects of malware and spam October 2008 11 Committed to Connecting the World Cost of spam and malware Cost of prevention & adaptation Benefits of cybercrime + + Malware economy Costs of cybercrime October 2008 - + + + - Damages, Fraud, crime Cost of law enforcement Indirect cost to society + + + Total, direct and indirect cost + 12 Committed to Connecting the World Selected financial flows Hardware, Software 4 7 8 Business users Security service providers 10 11 5 6 ISPs 9 Individual users 14 12 3 13 1 2 Legal Fraudsters, Criminals Potentially illegal Government Society at large October 2008 Society at large 13 Committed to Connecting the World Direct and indirect cost Direct cost include ¾ Cost of prevention and adaptation cost of preventative measures (e.g., security software and hardware, personnel training) cost of infrastructure adaptation (network capacity, routers, filters, …) ¾ losses from fraudulent and criminal activity Indirect cost such as ¾ cost of service outages ¾ cost of law enforcement ¾ opportunity cost to society (lack of trust) October 2008 14 Committed to Connecting the World Legal and illegal revenues Legal business activities ¾ Security software and services ¾ Infrastructure equipment and bandwidth ¾ Legal, spam-induced sales revenues Illegal business activities ¾ Writing of malicious code ¾ Renting of botnets ¾ Profits from pump and dump stock schemes ¾ Fraudulent commissions on spam-induced sales ¾ Money laundering (illegally acquired goods) October 2008 15 Committed to Connecting the World Main empirical findings October 2008 16 Committed to Connecting the World Cost of preventative measures Percentage of IT budget spent on security (2007 CSI Report) ¾ 35% of respondents: <3% of IT budget ¾ 26% or respondents: 3-5% of IT budget ¾ 27% of respondents: >5% of IT budget TU Delft/Quello Center study indicates similar orders of magnitude 2006 global revenue of security providers estimated to $7.5 bn No reliable global figures on overall IT budgets and the increase caused by malware and spam October 2008 17 Committed to Connecting the World Damages, fraud, crime (1) Worldwide direct damage due to malware in 2006: $13.2 bn (Computer Economics) ¾ Decline from $17.5 bn in 2004 ¾ Effects of anti-malware efforts and shift from direct to indirect costs U.S. Federal Bureau of Investigation estimated cost of computer crime to U.S. economy in 2005 to $67.2 bn (upper ceiling, not all malware-related) October 2008 18 Committed to Connecting the World Damages, fraud, crime (2) Global cost of spam in 2007: $100 bn, of which US$ 35 bn U.S. (Ferris Research) Cost of spam management to U.S. businesses in 2007: $71 bn (Nucleus Research) Direct costs to U.S. consumers in 2007: $7.1 bn (Consumer Reports) Range of estimates on online consumer fraud ¾ $240-340 million for U.S. ¾ £33.6 for financial fraud in UK Cost of click fraud in 2007: $1 bn Forensics) October 2008 (Click 19 Committed to Connecting the World Direct losses to business Average cost per reporting firm (in 000 $) 3500 Surveys of Computer Security Institute (CSI) members since 1996 In 2007, 494 3000 respondents of which 194 provided damage estimates 2500 2000 1500 1000 Leading categories: 500 ¾ financial fraud 0 1999 2000 2001 2002 2003 2004 2005 2006 2007 ¾ damage by viruses, worms, spyware ¾ System intrusion Source: CSI, 2007 October 2008 Incomplete picture 20 Committed to Connecting the World Law enforcement & social costs Costs of law enforcement (positive but unknown) ¾ Diffusion of costs among agencies (regulatory, civil law, criminal law) ¾ Self-regulation, co-regulation (e.g., CSIRTS) Costs to society at large (positive but unknown) Incremental costs due to cybercrime are not known October 2008 21 Committed to Connecting the World A preliminary welfare assessment October 2008 22 Committed to Connecting the World Determining welfare effects Complicated by the legal and illegal revenues associated with cybercrime Total costs due to malware and spam ¾ Direct costs (damages, prevention, …) ¾ Indirect costs (law enforcement, trust, …) Illegal underground transactions (~ $105 bn) are costs to society Parts of legal revenues are “economic bads”, no net contribution to GDP October 2008 23 Committed to Connecting the World Assessing global effects Aggregation, projection to global level ¾ Projection from country to global level? ¾ Avoidance of double-counting A preliminary global estimate ¾ Global direct costs as high as 0.2-0.4% of global GDP (in 2007 ~ $66 trillion) ¾ In worst case scenario costs could be as high as 0.5-1% of global GDP Effects on industrialized, emerging, and developing countries varies greatly October 2008 24 Committed to Connecting the World Appendix The malware/spam underground economy October 2008 25 Committed to Connecting the World Malware/spam Players in the underground economy include ¾ Malware writers and distributors (trojans, spyware, keyloggers, adware, riskware, …) ¾ Spammers, botnet owners, drops ¾ Various middlemen Emergence of institutional arrangements to enhance “trust” (e.g., SLAs, warranties) Steady stream of new attacks (e.g., drive-by pharming, targeted spam, MP3 spam, …) October 2008 26 Committed to Connecting the World Software vendors Security providers App/Si App/Sj App/Sk Usersi ISPi ISPj ISPk Governance Hardware vendors October 2008 Usersj Usersk Fraudulent and criminal activity Fraudulent and criminal activity Interdependent value net 27 Committed to Connecting the World Efficient & inefficient decisions Instances where incentives of players are well aligned to optimize costs to society ¾ ISPs correct security problems caused by end users as well as some generated by other ISPs ¾ Financial service providers correct security problems of end users and software vendors ¾ Negative reputation effects of poor security disciplines software vendors, ISPs, and other stakeholders Instances where incentives are poorly aligned ¾ Individual users (lack of information, skills, …) ¾ Domain name governance/administration system October 2008 28 Committed to Connecting the World More Information ITU-D ICT Applications and Cybersecurity Division ¾ www.itu.int/itu-d/cyb/ ITU-D Cybersecurity Activities ¾ www.itu.int/itu-d/cyb/cybersecurity/ Study Group Q.22/1: Report On Best Practices For A National Approach To Cybersecurity: A Management Framework For Organizing National Cybersecurity Efforts ¾ www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-draft-cybersecurityframework.pdf ITU National Cybersecurity/CIIP Self-Assessment Tool ¾ www.itu.int/ITU-D/cyb/cybersecurity/projects/readiness.html ITU-D Cybersecurity Work Programme to Assist Developing Countries: ITU Regional Cybersecurity Forums • www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-cybersecurity-workprogramme-developing-countries.pdf ¾ www.itu.int/ITU-D/cyb/events/ ITU Botnet Mitigation Toolkit ¾ www.itu.int/ITU-D/cyb/cybersecurity/projects/botnet.html October 2008 29 Committed to Connecting the World International Telecommunication Union Committed to Connecting the World October 2008 30
