I. A serious issue
Every new technology is used for age-old dishonest money-making
techniques. The National
Consumers League Internet fraud watch estimated the cost of Internet
fraud in 2001 in the US at 4,4 M$, up from 3,4 M$ in 2000. Here is how
they broke it up :
|General merchandise sale||11%||-|
|Nigerian money offers||9%||+|
|Internet access services||3%||=|
|Information adult services||3%||+|
Intellectual Property thief
Information is a good that is difficult to protect and sell at the same
time. This lead to a new kind of issues related to intellectual
The value of pirated software has been estimated between 3 bn $ (US,
2001 BSA) to 11 bn $ (worldwide, 1997 IPRC study). This is not
accounting for multimedia (music and movies) piracy, clothes and other
There are big differences between countries. For example, it is
estimated that only 25% of software in USA is illegally acquired, versus
95% in China.
This famous worm exploits a buffer overflow in MS IIS. It was released
on June 18th, 2001.
Worm attacked various websites on July 12th and displayed the
"Hacked by Chinese" message. The attack on white house.gov was dodged by
changing the IP address of that website.
A version 2 appeared on July 19th. It was still memory only but had
an improved random infection list leading to infection of 359 000
machines in 14 hours.
- CodeRedII, August 4th : installs backdoor on disk
- No direct damage
- Limited collateral network disruption (CodeRedII reboots)
- About 1 000 000 infections
If it takes 1000 dollars to fix one Code red infected machine, then
this incident is in the billion-dollar impact category. What do you
More on the Red analysis can be found at <a
CAIDA, including an animation showing its propagation speed.
Nimda has been called a blended threat because it blends several
propagation modes :
- MIME exploit by email (opening or previewing)
- Embed itself in HTML pages + MIME exploit
- Exploits MS IIS bug ``Unicode Web Traversal’’
- Use CodeRed II backdoor
- Use network shares
However, Nimda real-world impact has been limited.
- Network shares open to guest with Administrator rights
- Collateral : Localized bandwidth DOS
- No net-wide effect visible on September 18th
- Two days after start : +2% unavailability (content error in web page), -20% web speed
Critical infrastructures attack : Over-hyped
Industrial supply chains, power, telcos, ATC... vulnerable BUT :
Hackers have not shown the intent
Terrorists lack capability
US Computer Network Defense (non DOD)
NIPC - National Infrastructure Protection Center
ISAC - Information Sharing and Analysis Center : private, economic sector
Update (3/3/03) : Now everything is under the umbrella of the Department
of Homeland Security’s Information Analysis and Infrastructure
style="font-weight: normal;">sIAIP) Directorate.
caMuch remain to be done at the international level
II. Managing the risk within the institution
Evaluating the cost of an incident
- Lost business due to resource unavailability
- Productivity loss for all staff while systems degraded
- IT staff labor and material to plug the leak
- IT & legal staff : forensic analysis & prosecution
- Public relation consulting & answering consumers
- Increases in insurance premium
- Liability suits
- Customers’ loss of trust in the organization
- Failure to win new accounts due to bad press
- Competitor’s access to confidential or proprietary info
What is the order of magnitude of the cost of an incident ?
In an 1998 incident, the shutdown of the main data center for a day at
a PC wholesaler (Ingram Micro) resulted in lost sales and repairs
estimated to $ 3.2 million
Here is another scenario, involving Code Red on 50 servers of a mobile
phone corporation with 16000 people and 500 Internet-facing devices :
- 120 hours sysadmin = $ 4,179
- 2 weeks of Marketing and communication, Business development, Customer service = $ 8,000
- Travel expenses = $ 20,000
- 40 annual subscribers lost = $ 24,000
- External security audit with penetration testing = $ 50,000
- 5% business loss for two weeks = $200,000
Information Security from a business perspective
Expected risk = probability x cost of incident
No budget can remove all risk
Security measures cost money. Incidents cost money.
Balanced choices requires knowledge. Visit the <a
href="http://rr.sans.org/index.php">SANS Institute information
security reading room to get some more.
- Too high risk, no good countermeasures —> eliminate the asset
- If possible, mitigate the risk
- Accept the risk as normal business cost
- Transfer the risk by insuring the asset
New industry : Lloyd’s started in 2000
Partnership between insurance and security companies
Pricing : corp. with revenue < 1 G$ can expect to pay
25-125 K$ premium for 25 M$ coverage.
III. Surveys on national cyber security
Security is a Public Good
There is motive for public intervention in providing security because :
- Everybody benefit uniformly from threat reduction
- Ex-post public prosecution the ultimate security barrier
But many problems remain : it is an international network, fast
technical change, increasing systems complexity, vendors unliability
There is media hype...
Michael Erbschloe (Computer
Economics) says :
|Year||Code name||Worldwide impact (USD)|
|2001||Code Red(s)||2.62 G$|
About these numbers, Rob Rosenberger (<a
href="http://www.vmyths.com/">vMyths) says : ``No one else will
prostitute the dollar figures reporters and antivirus vendors so
... and there are serious security surveys
Such as :
- The Computer Security Institute, home of the CSI/FBI survey
- The UK <a
and Information Industries Directorate security survey are available in for dowloading.
Of course these exercises do acknowledge the usual sources of
measurement errors :
- Sampling bias : who did you ask ?
- Self-selection bias : who replied ?
- Cognitive bias : replies are best estimates, memories
- Others : questionnaire language, presentation
Insecurity costs are significant, not measurable at the national scale
yet, but you should be able to evaluate some tangible and intangible
costs of incidents.
The take-home message is at the institutional level :
Probability x Cost of incident
Voir en ligne : Ross anderson’s page is a good starting point