Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
InternationalTelecommunicationUnion
Financial Aspects of Network Financial Aspects of Network Security: Malware and SpamSecurity: Malware and Spam
ITU Seminar on the Economics of CybersecurityBrisbane, Australia
15 July 2008
Johannes M. Bauer*With Michel van Eeten**, Tithi Chattopadhyay*
* Michigan State University, USA, ** Delft University of Technology, Netherlands
2July 2008
Objectives of report
Malware and spam have multifaceted and far-reaching, direct and indirect, financial effects
Costs for individuals, organizations, nationsRevenues for legal but also illegal playersDirect costs could be as high as 0.2-0.4% of GDPWorst case scenario, including indirect effects, could be as high as 0.5-1% of global GDP
Available information is incomplete and potentially biased by stakeholder interestsThe report aims at documenting the state of knowledge of these financial aspects
3July 2008
Overview
Malware and spam developmentsA framework for analyzing financial flows related to malware/spamSynopsis of empirical findingsA preliminary welfare assessmentAppendix: the malware/spam underground economy
5July 2008
Background
Convergence of malware and spamMalware and spam are increasingly organized for financial gainDivision of labor and specialization has increased sophistication and virulence of threatsInefficient security decisions of some players within the ICT value net (“externalities”)Many spillovers between market players, nations, and regions global problem
7July 2008
Division of labor
Source: Based on MessageLabs, 2007
Malware Writer
Guarantee Service
Spammers
Credit Card
Abuser
Malware Distributor
Reseller
IdentityCollector
eShops
Drop Site Developers
Drop Drop Drop
Uses Services
Seller MalwareSells credit cards with identities
Buys Goods
Uses Services
Forward Goods
Ships Goods
Uses Services
Sells IdentitiesUses Services
Sells Malware
Sells Malware
Buys Drop Site Template
Drop Service
BotnetOwner
8July 2008
Malware attack trendsOverall increasesMonthly growth
trojans, rootkits slowing toward end of 2007worms, viruses, AdWareand other accelerating
As of 3/2008 (Panda)30% of computers on internet infectedabout 50% active
Postini reports 10% of websites as infected
0
50000
100000
150000
200000
250000
Troj
War
e
VirW
are
Mal
War
e
AdW
are
Ris
kWar
e
2006 2007
Source: Based on Kaspersky Labs, 2008
9July 2008
Spam trends
1210 1221 1178 1230
268 267204
189
0
200
400
600
800
1000
1200
1400
1600
Q3-06 Q4-06 Q1-07 Q2-07
Abusive Unaltered
Different metrics“Abusive” messages (MAAWG)MessageLabs new and old spamSymantecFairly consistent numbers (85-90% of total messages)Spamhaus Project (IP addresses)Source: MAAWG 2007
10July 2008
Geography of spam
Source: Symantec, 2007, 2008
0
5
10
15
20
25
30
35
40
45
50
afric
a
asia
aust
ralia
/oce
ania
euro
pe
north
am
eric
a
sout
h am
eric
a
% Internet mail % Internet spam
2007
0
10
20
30
40
50
60
afric
a
asia
aust
ralia
/oce
ania
euro
pe
north
am
eric
a
sout
h am
eric
a
% Internet mail % Internet spam
2006
12July 2008
Cost of spam and malware
Benefits of cybercrime
Costs of cybercrime
Malwareeconomy
Indirectcost tosociety
Cost of law enforcement
Damages,Fraud, crime
Cost of prevention
& adaptation
Total, direct and
indirect cost
+
+
+
+
+
-
- +
+
+
+
-
-
13July 2008
Hardware, Software
Securityservice
providers
Fraudsters,Criminals
ISPs
Individualusers
Businessusers
12
13
5
3
8 9
4
10
1211
67
Government
Society at large
Selected financial flows
Legal
Potentially illegal
14
Society at large
14July 2008
Direct and indirect cost
Direct cost includeCost of prevention and adaptation
cost of preventative measures (e.g., security software and hardware, personnel training)cost of infrastructure adaptation (network capacity, routers, filters, …)
losses from fraudulent and criminal activityIndirect cost such as
cost of service outagescost of law enforcementopportunity cost to society (lack of trust)
15July 2008
Legal and illegal revenuesLegal business activities
Security software and servicesInfrastructure equipment and bandwidthLegal, spam-induced sales revenues
Illegal business activitiesWriting of malicious codeRenting of botnetsProfits from pump and dump stock schemesFraudulent commissions on spam-induced salesMoney laundering (illegally acquired goods)
17July 2008
Cost of preventative measures
Percentage of IT budget spent on security (2007 CSI Report)
35% of respondents: <3% of IT budget26% or respondents: 3-5% of IT budget 27% of respondents: >5% of IT budget
TU Delft/Quello Center study indicates similar orders of magnitude2006 global revenue of security providers estimated to $7.5 bnNo reliable global figures on overall IT budgets and the increase caused by malware and spam
18July 2008
Damages, fraud, crime (1)
Worldwide direct damage due to malware in 2006: $13.2 bn (Computer Economics)
Decline from $17.5 bn in 2004Effects of anti-malware efforts and shift from direct to indirect costs
U.S. Federal Bureau of Investigation estimated cost of computer crime to U.S. economy in 2005 to $67.2 bn(upper ceiling, not all malware-related)
19July 2008
Damages, fraud, crime (2)
Global cost of spam in 2007: $100 bn, of which US$ 35 bn U.S. (Ferris Research)
Cost of spam management to U.S. businesses in 2007: $71 bn (Nucleus Research)
Direct costs to U.S. consumers in 2007: $7.1 bn (Consumer Reports)
Range of estimates on online consumer fraud$240-340 million for U.S.£33.6 for financial fraud in UK
Cost of click fraud in 2007: $1 bn (Click Forensics)
20July 2008
Direct losses to businessSurveys of Computer Security Institute (CSI) members since 1996In 2007, 494 respondents of which 194 provided damage estimatesLeading categories:
financial frauddamage by viruses, worms, spywareSystem intrusion
Incomplete pictureSource: CSI, 2007
0
500
1000
1500
2000
2500
3000
3500
1999 2000 2001 2002 2003 2004 2005 2006 2007
Average cost per reporting firm (in 000 $)
21July 2008
Law enforcement & social costs
Costs of law enforcement (positive but unknown)
Diffusion of costs among agencies (regulatory, civil law, criminal law)Self-regulation, co-regulation (e.g., CSIRTS)
Costs to society at large (positive but unknown)Incremental costs due to cybercrimeare not known
23July 2008
Determining welfare effects
Complicated by the legal and illegal revenues associated with cybercrimeTotal costs due to malware and spam
Direct costs (damages, prevention, …)Indirect costs (law enforcement, trust, …)
Illegal underground transactions (~ $105 bn) are costs to societyParts of legal revenues are “economic bads”, no net contribution to GDP
24July 2008
Assessing global effects
Aggregation, projection to global levelProjection from country to global level?Avoidance of double-counting
A preliminary global estimateGlobal direct costs as high as 0.2-0.4% of global GDP (in 2007 ~ $66 trillion)In worst case scenario costs could be as high as 0.5-1% of global GDP
Effects on industrialized, emerging, and developing countries varies greatly
26July 2008
Malware/spam
Players in the underground economy includeMalware writers and distributors (trojans, spyware, keyloggers, adware, riskware, …)Spammers, botnet owners, dropsVarious middlemen
Emergence of institutional arrangements to enhance “trust” (e.g., SLAs, warranties)Steady stream of new attacks (e.g., drive-by pharming, targeted spam, MP3 spam, …)
27July 2008
Interdependent value net
ISPi
ISPj ISPk
Usersi
Usersj
Usersk
App/Si
App/Sj
Hardware vendors
Software vendors
Security providers
GovernanceApp/Sk
Frau
dule
nt a
nd c
rimin
al a
ctiv
ityFraudulent and crim
inal activity
28July 2008
Efficient & inefficient decisions
Instances where incentives of players are well aligned to optimize costs to society
ISPs correct security problems caused by end users as well as some generated by other ISPsFinancial service providers correct security problems of end users and software vendorsNegative reputation effects of poor security disciplines software vendors, ISPs, and other stakeholders
Instances where incentives are poorly alignedIndividual users (lack of information, skills, …)Domain name governance/administration system
29July 2008
More InformationITU-D ICT Applications and Cybersecurity Division
www.itu.int/itu-d/cyb/ITU-D Cybersecurity Activities
www.itu.int/itu-d/cyb/cybersecurity/Study Group Q.22/1: Report On Best Practices For A National Approach To Cybersecurity: A Management Framework For OrganizingNational Cybersecurity Efforts
www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-draft-cybersecurity-framework.pdf
National Cybersecurity/CIIP Self-Assessment Toolkitwww.itu.int/ITU-D/cyb/cybersecurity/projects/readiness.html
ITU-D Cybersecurity Work Programme to Assist Developing Countries:• www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-cybersecurity-work-
programme-developing-countries.pdfRegional Cybersecurity Forums
www.itu.int/ITU-D/cyb/events/Botnet Mitigation Toolkit
http://www.itu.int/ITU-D/cyb/cybersecurity/projects/botnet.html