Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
InternationalTelecommunicationUnion
Financial Aspects of Network Financial Aspects of Network Security: Malware and SpamSecurity: Malware and Spam
ITU-T Study Group 3Geneva, Switzerland
2 April 2008
Johannes M. Bauer*, Michel van Eeten**, Tithi Chattopadhyay*
Please send comments to:ITU-D ICT Applications and Cybersecurity Division
* Michigan State University, USA, ** Delft University of Technology, Netherlands
The views expressed in this presentation are those of the author and do not necessarily reflect the opinions of the ITU or its Membership.
2April 2008
Objectives of report
Malware and spam have far-reaching, direct and indirect, financial effects
Costs for individuals, organizations, nationsRevenues for legal but also illegal playersDirect costs probably 0.2-0.4% of global GDPIncluding indirect effects could be as high as 0.5-1% of global GDP
Available information is incomplete and potentially biased by stakeholder interestsThe report aims at documenting the state of knowledge of these financial aspects
3April 2008
Overview
Malware and spam developmentsA framework for analyzing financial flows related to malware/spamMain empirical findingsA preliminary welfare assessmentAppendix: the malware/spam underground economy
4April 2008
Malware and spam developments
5April 2008
Background
Payoffs of fraudulent and criminal activity are high and have brought organized crime to malware and spamDivision of labor and specialization has increased sophistication and virulence of threats from fraudsters and criminalsSecurity decisions of some players within the ICT value net do not fully reflect social costs and benefits and only sub-optimally mitigate external threats
6April 2008
Division of labor
Source: MessageLabs, 2007
Malware Writer
Guarantee Service
Spammers
Credit Card
Abuser
Malware Distributor
Reseller
IdentityCollector
eShops
Drop Site Developers
Drop Drop Drop
Uses Services
Seller MalwareSells credit cards with identities
Buys Goods
Uses Services
Forward Goods
Ships Goods
Uses Services
Sells IdentitiesUses Services
Sells Malware
Sells Malware
Buys Drop Site Template
Drop Service
BotnetOwner
7April 2008
Visibility vs. malicious intent
Source: www.govcert.nlTime
8April 2008
Malware attack trendsOverall increasesMonthly growth
Trojans, rootkits slowing toward end of 2007Worms, viruses, AdWareand other accelerating
As of 3/2008 (Panda)30% of computers on Internet infectedAbout 50% active
Postini reports 10% of websites as infected
0
50000
100000
150000
200000
250000
Troj
War
e
VirW
are
Mal
War
e
AdW
are
Ris
kWar
e
2006 2007
Source: Kaspersky Labs, 2008
9April 2008
Spam trends
1210 1221 1178 1230
268 267204
189
0
200
400
600
800
1000
1200
1400
1600
Q3-06 Q4-06 Q1-07 Q2-07
Abusive Unaltered
Different metrics“Abusive” messages (MAAWG)MessageLabs new and old spamSymantecFairly consistent numbers (85-90% of total messages)Spamhaus Project (IP addresses)Source: MAAWG 2007
10April 2008
Geography of spam
Source: Symantec, 2007, 2008
0
5
10
15
20
25
30
35
40
45
50
afric
a
asia
aust
ralia
/oce
ania
euro
pe
north
am
eric
a
sout
h am
eric
a
% Internet mail % Internet spam
2007
0
10
20
30
40
50
60
afric
a
asia
aust
ralia
/oce
ania
euro
pe
north
am
eric
a
sout
h am
eric
a
% Internet mail % Internet spam
2006
11April 2008
Financial aspects of malware and spam
12April 2008
Hardware, Software
Securityservice
providers
Fraudsters,Criminals
ISPs
Individualusers
Businessusers
12
13
5
3
8 9
4
10
1211
67
GovernmentSociety at large
Selected financial flows
Legal
Potentially illegal
13April 2008
Direct and indirect cost
Direct cost such aslosses from fraudulent and criminal activitycost of preventative measures (e.g., security software and hardware, personnel training)cost of infrastructure adaptation (network capacity, routers, filters, …)
Indirect cost such ascost of service outagescost of law enforcementopportunity cost to society (lack of trust)
14April 2008
Legal and illegal revenues
Legal business activitiesSecurity software and servicesInfrastructure equipment and bandwidth
Illegal business activitiesWriting of malicious codeRenting of botnetsProfits from pump and dump stock schemesCommission on spam-induced salesMoney laundering (illegally acquired goods)
15April 2008
Main empirical findings
16April 2008
Cost of malware
Worldwide direct damage in 2006: $13.2 bn (Computer Economics survey of 52 IT professionals)
Decline from $17.5 bn in 2004Effects of anti-malware efforts and shift from direct to indirect costs
U.S. Federal Bureau of Investigation estimated cost of computer crime to U.S. economy in 2005 to $67.2 bnNo estimates of indirect and of opportunity costs available
17April 2008
Direct losses to U.S. business
Surveys of Computer Security Institute (CSI) members since 1996In 2007, 494 respondents of which 194 provided damage estimatesLeading categories:
financial frauddamage by viruses, worms, spywareSystem intrusion
Incomplete pictureSource: CSI, 2007
0
500
1000
1500
2000
2500
3000
3500
1999 2000 2001 2002 2003 2004 2005 2006 2007
Average cost per reporting firm (in 000 $)
18April 2008
Cost of preventative measures
Percentage of IT budget spent on security (2007 CSI Report)
35% of respondents: <3% of IT budget26% or respondents: 3-5% of IT budget 27% of respondents: >5% of IT budget
2006 global revenue of security providers estimated to $7.5 bn (Gartner 2007)TU Delft/Quello Center study: 6-10% of IT budget dedicated to security
19April 2008
Cost of spamGlobal cost of spam in 2007: $100 bn, of which US$ 35 U.S. (Ferris Research)
Cost of spam management to U.S. businesses in 2007: $71 bn (Nucleus Research)
Cost of click fraud in 2007: $1 bn (Click Forensics)
Cost to U.S. consumers in 2007: $7.1 bn (Consumer Reports)
20April 2008
A preliminary welfare assessment
21April 2008
Determining welfare effects
Complicated by the legal and illegal revenues associated with cybercrimeCosts of malware and spam
Direct costs (damages, prevention, …)Indirect costs (law enforcement, trust, …)
Economic “bads” (e.g., part of security investment), not welfare-enhancingTreatment of illegal transactions (estimated to total $105 bn)?
22April 2008
Scaling overall effects
Costs of malware and spamMost reliable information at country level; how to scale to global level/Avoidance of double-countingGlobal direct costs probably in 0.2-0.4% range of global GDP ($66 tr)Direct and indirect costs could be as high as 0.5-1% of global GDP
Probably differential effects on national productivity and growth
23April 2008
AppendixThe malware/spam
underground economy
24April 2008
Malware/spam
Players in the underground economy includeMalware writers and distributors (trojans, spyware, keyloggers, adware, riskware, …)Spammers, botnet owners, dropsVarious middlemen
Emergence of institutional arrangements to enhance “trust” (e.g., SLAs, warranties)Steady stream of new attacks (e.g., drive-by pharming, targeted spam, MP3 spam, …)
25April 2008
Interdependent value net
ISPi
ISPj ISPk
Usersi
Usersj
Usersk
App/Si
App/Sj
Hardware vendors
Software vendors
Security providers
GovernanceApp/Sk
Frau
dule
nt a
nd c
rimin
al a
ctiv
ityFraudulent and crim
inal activity
26April 2008
Efficient & inefficient decisions
Instances where incentives of players are well aligned to optimize costs to society
ISPs correct security problems caused by end users as well as some generated by other ISPsFinancial service providers correct security problems of end users and software vendorsNegative reputation effects of poor security disciplines software vendors, ISPs, and other stakeholders
Instances where incentives are poorly alignedIndividual users (lack of information, skills, …)Domain name governance/administration system
27April 2008
More Information: ITU Development Sector
ITU-D ICT Applications and Cybersecurity Divisionwww.itu.int/itu-d/cyb/
ITU-D Cybersecurity Activitieswww.itu.int/itu-d/cyb/cybersecurity/
Study Group Q.22/1: Report On Best Practices For A National Approach To Cybersecurity: A Management Framework For OrganizingNational Cybersecurity Efforts
www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-draft-cybersecurity-framework.pdf
National Cybersecurity/CIIP Self-Assessment Toolkitwww.itu.int/ITU-D/cyb/cybersecurity/projects/readiness.html
ITU-D Cybersecurity Work Programme to Assist Developing Countries:• www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-cybersecurity-work-
programme-developing-countries.pdfRegional Cybersecurity Forums
www.itu.int/ITU-D/cyb/events/Botnet Mitigation Toolkit
http://www.itu.int/ITU-D/cyb/cybersecurity/projects/botnet.html
28April 2008
More Information: ITU Standardization Sector
ITU-T Study Group 17 – Lead Study Group on Telecommunication Security
www.itu.int/ITU-T/studygroups/com17/index.asp
Question 17/17 - Countering spam by technical means
www.itu.int/ITU-T/studygroups/com17/sg17-q17.html
Recommendations for approval on 18 April 2008:• X.1231 - Technical strategies on countering spam • X.1240 - Technologies involved in countering email spam • X.1241 - Technical framework for countering email spam
29April 2008
International Telecommunication
Union
Helping the World Communicate