Reviewing the FBI Computer Crime Survey 2005

20thJan. × ’06

By Kevin A. Thompson

The FBI’s Computer Crime Survey 2005 has been released. Thanks to BeSpacific for the link.

At the time of this writing the survey itself is not accessible, but the summary of the findings can be found from the above link. In relevant part, the important findings are as follows:

Frequency of attacks. Nearly nine out of 10 organizations experienced computer security incidents in a year’s time; 20% of them indicated they had experienced 20 or more attacks.
Types of attacks. Viruses (83.7%) and spyware (79.5%) headed the list. More than one in five organizations said they experienced port scans and network or data sabotage.
Financial impact. Over 64% of the respondents incurred a loss. Viruses and worms cost the most, accounting for $12 million of the $32 million in total losses.
Sources of the attacks. They came from 36 different countries. The U.S. (26.1%) and China (23.9%) were the source of over half of the intrusion attempts, though masking technologies make it difficult to get an accurate reading.
Defenses. Most said they installed new security updates and software following incidents, but advanced security techniques such as biometrics (4%) and smart cards (7%) were used infrequently. In addition, 44% reported intrusions from within their own organizations, suggesting the need for strong internal controls.
Reporting. Just 9% said they reported incidents to law enforcement, believing the infractions were not illegal or that there was little law enforcement could or would do. Of those reporting, however, 91% were satisfied with law enforcement’s response. And 81% said they’d report future incidents to the FBI or other law enforcement agencies. Many also said they were unaware of InfraGard, a joint FBI/private sector initiative that battles computer crimes and other threats through information sharing.

My take is that reporting viruses and spyware as computer crime in the same survey that covers intrusion and phishing attacks is a bit disingenuous. It artifically inflates the number of people that were the victims of computer crime, while also artificially lowering the number of people that reported it to authorities. Not everyone is going to report a simple virus caused by an uninformed user blindly opening email attachments, but more serious crime is more likely to be reported.

On the plus side, the survey points out the need to be vigilant for the beginning of intrusions like port scans, while also reminding users of the need for internal controls. Much computer crime is the result of an inside job from a former employee (or one on the way out), sometimes to hide evidence of another crime such as embezzlement or theft of trade secrets. Your security is only as good as the weakest link, make sure you look at it from the point of view of a potential intruder and see how easy access to your vital data can be obtained.