Computer Crime & Security Survey

Transcription

1 4 th Japan & US Computer Crime & Security Survey Katsuya Uchida Professor, Ph. D. Institute of Information Security Graduate School of Information Security 1

2 Respondents by Number of Employees 5 45% 4 43% 2007(4 th ) 783 (3 rd ) 1, % 3 26% 27% 26% 23% 25% 27% 25% 22% % 14% 14% 12% 17% 5% 2% 2% 1 ~ ~ ~ ,500 ~ 9,999 10,000 or more 2

3 Respondents by Industry Sector C S I JAPAN Industry Sector 2005 Industry Sector Financial 17% 17% Manufacturing HighTech/Info. Tech 11% Retail Manufacturing 9% 9% Educational Federal Government 8% 9% Government Medical 7% 7% Construction Educational 8% 6% Telecommunication State Government 3% 5% Complex retail Telecommunication 4% 4% Transportation Utilities 3% 4% Financial Local Government 3% 2% Real estate Transportation 1% 1% Food / Hotel Retail 1% 1% Medical / Welfare Legal 1% 1% Hightech Consulting 14% Utilities Others 11% 19% Others % 13% 13% 7% 7% 3% 3% 3% 2% 1% 1% 1% 6% 34% 14% 12% 5% 8% 7% 5% 3% 2% 2% 1% 1% 1% 6% Respondents: =615, 2005= =782, =1,004 3

4 Respondents by Job Description 6 52% 2007(4 th ) 739 (3 rd ) 1, % 4 35% 35% 32% 26% 3 23% 26% 19% 2 12% 16% 13%13% Systems Admin 7% SecOfficer/ Mgr/Directr 8% 2% 1% 6% 1% 1% 7% 8% 1%1% 1% 6% 5% CIO CEO CISO CSO Others Respondents: =615, 2005= =739, =1,004 4

5 Number of PCs (4 th ) 781 (3 rd ) 1,004 53% 57% % 26% 2 18% 16% 1% 1% Less than More than 1,000 Respondents: 2007=781 =1,004 5

6 3 25% Percentage of IT Budget Spent on Security 21% 26% 24% 2007(4 th ) 752 (3 rd ) % % 23% 2 16% 11% 14% 16% 16% 18% 11% 8% 11% 11% 9% 13% 11% 13% 8% 12% 6% 6% 5% 4% Less than 1% 12% 35% 67% 8 More than Unknown Respondents: =613, 2005= =752, =964 6

7 Percentage of Organizations Using ROI, NPV and IRR Metrics (4 th ) 760 (3 rd ) % 87% % 38% 3 2 2% 1% 19% 18% 21%19% 1% 0.3% 0.4% 7% 4% ROI NPV IRR Others Unknown Non Respondents: =512, 2005= =760, =980 7

8 Organizations with External Insurance Against Cybersecurity Risks 2007(4 th ) 767 (3 rd ) % 8% Insurance 29% % No Insurance Respondents: =571, 2005= =767, =997 89% 92% 71% 75% 8

9 Organizations Conducting Security Audits % 2007(4 th ) 771 (3 rd ) % 62% 6 38% 54% % 22% 3 16% 2 Internal External Non Respondents: = =771, =995 9

10 Percentage of Security Function Outsourced % 61% 63% 2007(4 th ) 735 (3 rd ) % % 26% 21% 22% 2 11% 8% 5% 5% 6% 6% 7% 6% 4% 2% 5% 5% 1% 2% 1% None Respondents: =609, 2005= =735, =923 10

11 Security Technologies Used AntiVirus Software Firewall Reusable account/login passwords Serverbased Access Control Lists AntiSpyware Log Management Software Encryption for data in transit Intrusion Detection System : IDS Encryption for data in Storage Smart cards/other onetime password tokens One time passwords Applicationlevel Firewall Intrusion Prevention System : IPS Specialized wireless security system Public Key Infrastructure Biometrics Forensics tools Endpoint security clinent software Others CSI 97% 98% 46% 7 79% 41% 63% 69% 48% 38% 39% 43% 32% 36% 2 38% 31% 4% % 97% 52% 7 68% 72% 46% 42% 35% 35% JPN % 92% 82% 69% 47% 37% 35% 24% 19% 18% 8% 17% 12% 9% 9% 2% 4% 94% 91% 83% 75% 32% 21% 27% 11% 9% 5% Respondents: =616, 2005= =769, =987 11

12 Unauthorized Use of Computer Systems within the Last 12 Months % 71% 2007(4 th ) 759 (3 rd ) % 57% % 31% 3 19% 24% 2 12% 3% 5% Yes No Don't know Respondents: =616, 2005= =759, =984 12

13 Types of Attacks or Misuse Detected in the Last 12 Months Virus Laptop/Mobile Theft Insider Abuse of Net Access Denial of Service Unauthorized access to Information Web Site Defacement System Penetration Theft of Proprietary Information Sabotage Abuse of Wireless Network Telecom fraud Financial fraud Misuse of Public Web Application Other No attack / Misuse C S I 65% 1 47% 2 42% 3 25% 5 32 % 4 6 % % 6 9 % 8 3 % % 7 8 % 10 9 % 9 6 % % 75 % 9 % 48 % 32 % 5 % 10 % 2 % 7 % 16 % 48 % 7 % 5 % Japan % 1 67 % 30 % 2 23 % 22 % 3 18 % 14 % 4 11 % 5 % 5 5 % 5 % 6 4 % 7 3 % 8 2 % 9 2 % 10 1 % 11 0 % % 43 % 4 % 2 % 1 % 3 % 0 % 0 % 3 % 2 % 23 % Note: Percentages of CSI 2005 is calculated from Fig. 14 in 2005 CSI/FBI survey Respondents: =616, 2005= =533, =984 13

14 How Many Incidents? From the Outside? From the Inside? Don t Know None Inside % 7 % 3 % 44 % CSI Outside % 10 % 8 % 35 % 48 % 15 % 9 % 28 % Japan Inside Outside % 31 % 30 % 42 % 3 % 3 % 2 % 4 % 1 % 1 % 2 % 3 % 0 % 1 % 1 % 1 % 12 % 12 % 10 % 9 % 65 % 52 % 56 % 41 % Respondents: =341, 2005= =686, =887 14

15 Virus 15,691,460 Laptop Theft 6,642,660 Telecom Fraud 1,262,410 Theft of proprietary Info 6,034,000 Insider Net Abuse 1,849,810 Unauthorized Access 10,617,000 Denial of Service 2,922,000 Bots within the organ. 923,700 Financial Fraud 2,556,900 System Penetration 758,000 Web site defacement 162,500 Sabotage 260,000 Password sniffing 161,210 Phishing in which your org. 647,510 Abuse of wireless net 469,010 Exploit of DNS Server 90,100 Instant Msg misuse 291,510 Misuse of public Web App 269,500 Other 885,000 Total Losses 52,494,290 Avarage of Losses/Resp 167,713 Dollar Amount Losses by Type CSI ,787, ,107, , ,933, ,856, ,233, ,310, ,565, , , , , ,227, ,104, ,606 Unit: $(= 100) Japan ,916, ,029, , ,769, , , , , , , , , , , , , ,000 35, ,310 27, ,585 20, ,200 17, , , , , ,800 1,231,160 5,308,928 11,520,541 21,581 53,335 Respondents: =313, 2005= =246, =216 15