2003 CSI/FBI cybercrime survey
The eighth edition of the longest-running annual survey of computer crime and losses has recently been published by the Computer Security Institute. The study, which is conducted in cooperation with the San Francisco FBI office, is based on the results reported by 530 security specialists working in U.S. corporations and government agencies.

The number of incidents remained about the same as in the 2002 survey, but overall economic loss was down significantly; losses due to financial fraud in particular were down by 90 percent.

Theft of proprietary information was reported as being responsible for the most financial loss, with the average reported loss pegged at about $2.7 million per incident.

Denial of service attacks were responsible for more than $65 million in total losses among those surveyed, making it second only to theft of proprietary data in total cost.

Insider attacks and system abuse followed virus infections as the top category of adverse events based on the number of incidents.

In a blow to crackers who think they can move into the mainstream, 68 percent of the respondents were strongly opposed to hiring reformed hackers.

The high incidence of virus attacks reported is also a bit surprising, since 99 percent of the companies surveyed reported using antivirus software. A full 98 percent also report using firewalls.

Back when the survey began, fewer than one in five serious attacks were reported to authorities, but that percentage has doubled in recent years to around 30 percent. Of those who gave a reason for failing to report incidents, more than half said they didn’t know they could report incidents. But nearly three-quarters say that they don’t report incidents because they fear negative publicity.

The report speculates that so many companies said they didn’t know they could report incidents because they simply weren't sure which agency would have jurisdiction. This certainly remains a serious problem, with few local authorities being willing or able to pursue cybercrimes. In some cases, the Secret Service might be involved, but the FBI is often the only agency that would have both the capability to deal with this sort of crime and the jurisdiction. However, the FBI has been swamped with new antiterrorism duties since 9/11, and when it wants to pursue a nonviolent cybercrime, it often doesn't have the resources available.

When asked for his interpretation of the survey results, Special Agent Tom Grasso of the Pittsburgh FBI office pointed out that there was an “even split between unauthorized use by insiders and outsiders” and noted that a big percentage of respondents blamed disgruntled employees for the attack. He also reminded security specialists to consider past survey data when analyzing this year's results. "The authors of the study commented that this [year’s numbers] are in line with pre-2001 data, which could mean that 2001 and 2002 were just unusually high.”

Grasso is the FBI liaison with CERT and is the driving force behind the National Cyber-Forensics and Training Alliance (NCFTA), a partnership among law enforcement, academia, and industry that is working to improve cyberforensic skills.

Free PDF copies of the full report are available.
To obtain your free copy, fill out the form on this page.
Bound and printed versions are also available through
Kinko's DocStore service; a small fee is charged to cover
printing and shipping costs.

Companies can take one commonsense step to help prevent attacks: They can patch their systems. According to the CSI/FBI report, almost unbelievably, even companies that experienced serious computer system intrusions failed in nearly 10 percent of cases to patch the vulnerable systems. In the 2002 report, only 77 percent reported patching known holes that had been exploited. It might be interesting to ask some of them just what economic or other considerations kept them from patching a hole when they knew an exploit existed and had been used to successfully attack them at least once.

http://www.ncfta.net/

http://gocsi.com/forms/fbi/pdf.jhtml?_requestid=990693