White Paper: Lies, damned spies and computer crime statistics

Attempts to pin point the extent of computer crime is hampered by firms’ inability to reveal all

Attempts to pin point the extent of computer crime is hampered by firms’ inability to reveal all

Enquiries about computer crime by customers to ICSA staff hinge around the identity of the attacker, which methods they employ, how often they do it and which systems are affected. These questions shape risk management strategies. In estimating the appropriate level of investment in security, it is helpful to have a sound grasp of the probability of damage and its magnitude. Ideally, one would want to compare one's level of risk by evaluating the experiences of other organisations with similar system and business characteristics.

Unfortunately it is impossible to give reliable answers to such questions. Information security experts understand that there are two fundamental difficulties preventing us from giving accurate statistics of this kind. These difficulties are known as "the problem of ascertainment".

Firstly, an unknown number of crimes go undetected, and therefore unreported. For example, even outside the computer crime field, ISCA doesn't know how many financial frauds are being perpetrated, due to lack of detection. How does ISCA know they're not detected? Because some frauds are discovered long after they have occurred. Similarly, computer crimes may go undetected by their victims. In a landmark series of tests at the Department of Defense, the Defense Information Systems Agency found that very few of the penetrations it engineered against unclassified systems within the DoD seem to have been detected by system managers. A commonly held view within the information security community is that something like only one-tenth or so of all the crimes committed against and using computer systems are detected.

Secondly, even if attacks are detected, it seems that few are reported. This belief is based in part on the unquantified experience of information security professionals who have conducted interviews of their clients. It turns out that only about 10 per cent of attacks against computer systems revealed were ever reported to any kind of authority or to the public. The Department of Defense studies mentioned above were consistent with this belief; of the few penetrations detected, a very small number were reported to appropriate authorities.

Given these problems of ascertainment, computer crime statistics should generally be treated with scepticism. Generalisations in this field are difficult to justify; even if ISCA knew more about types of criminals and the methods they use, it would still be difficult to have the kind of actuarial statistic that is commonplace in the insurance field. It is very difficult to compare the attributes of a mainframe-based network running MVS to the kinds of risks faced by the UNIX-based intranets.

Under these circumstances, ICSA staff should be very careful not to give customers the impression that they know more than they do. There is hope, however. The ICSA is actively working with ISPs in the US to develop a database of incident details that will help answer some important questions. Over the next several months, the ICSA expects to issue interim reports summarising the findings of this ongoing research project.

What kinds of damage do computer systems suffer?

Information systems can be damaged in many ways. For example, an unauthorised person can breach the confidentiality of records stored by information systems. An example of such a breach of control and possession occurs when people make illegal copies of copyrighted software, putting their employers at risk of serious lawsuits and criminal prosecution. The integrity of our information can be damaged; for example when vandals modify the appearance and content of corporate web pages, the victims suffer a breach of data integrity that may lead to a loss of credibility in the marketplace.

Sometimes intruders assume the identity of users on the systems they penetrate; this kind of breach of authenticity can result in serious problems when, for example, the forgers send fraudulent and messages in their victim's names. Alternatively, attackers may reduce the availability of computer systems; some denial of service attacks have involved complete saturation of the victims' resources. In one spectacular case in 1996, someone flooded the mailboxes of over 100 people with thousands of spurious email messages. Another kind of problem is a breach of utility. For example, some disgruntled employees have been known to encrypt valuable documents, such as source code, before they leave their former employers; in other cases, people simply forget their decryption keys. Although the information is still intact, it's not useful until the decryption key is found.

What are the most common methods of attack?

Some deliberate attacks on systems originate in non-technical ways. So-called "social engineering" techniques take advantage of inadequately trained employees. For example, requests by phone for passwords or new computer accounts are easy for any junior hacker to make but should never be granted. Seduction or bribery of employees to reveal confidential matters, or to steal confidential information, requires little technical knowledge but can be made more difficult by adequate employee security-awareness programs.

Successful technical attacks on computers and networks usually take advantage of weaknesses that have been well documented and ought to have been fixed. System managers and network administrators must keep their systems software up to date by installing all appropriate patches issued by their operating-system and security-software vendors.

John D Howard published a valuable analysis of CERT-CC data from 1989 to 1995 that will interest those who want a broad overview of the kinds of attacks noted by the agency. The 1996 Annual Report made the following key points on the most serious problems they encountered:

( Exploitation of weaknesses in the "cgi-bin/phf" program used on Web servers to steal system password files

( Attacks on systems running the free Linux version of UNIX, including installation of "sniffers" that can steal unencrypted passwords when people log on to the systems

( Denial-of-service attacks were particularly troubling for Internet Service Providers

( Widely available hacker kits have permitted even novices to attack systems with known vulnerabilities

( Poorly-configured, anonymous FTP sites were used to exchange illegal copies of proprietary software

( Abuse of email included mail-bombing, forgeries ("spoofing") and a large increase in the amount of junk email ("spamming")

( Viruses and hoaxes about viruses (especially wild claims about dangerous email) increased in 1996

What market sectors are most likely to be attacked?

Because many attacks on computer systems and networks go unreported, ISCA doesn't have much detail on who gets attacked the most. However, it certainly looks like websites of all descriptions are appealing targets for cyber-vandals. At the ICSA, they routinely see dozens of sites attacked every week ( and this is probably just the tip of the iceberg. Another tempting target for cyber-thieves seems to be any organisation with lots of credit-card numbers. In general, one should be concerned about the safety of any organisation whose information has monetary value to others.

What kind of data is being stolen?

In addition to credit card numbers, there have recently been some high-profile cases of industrial espionage, in which valuable proprietary data has been stolen either by competitors or sold to competitors of the victim.

Who are the perpetrators of the attacks?

Judging from the participants in public hacker meetings, many of the potential criminals are relatively young people; then again, some recent computer criminals have been people in their thirties. Not much is known about the personality profiles, although there have been speculation in articles published over the years. Although the level of writing in hacker publications such as "Phrack" and "twenty-six hundred" seems uniformly immature, there is no way of knowing how representative that is of the broader hacker population. There may be differences in the personality profiles of American hackers and their European counterparts. Although there are no definitive studies, rumour has it that European hackers are more politically motivated. An interesting glimpse into the minds of some hackers comes from a video made by Annaliza Savage, called "Unauthorized Access".

There have been several popular books published recently dealing with the computer underground. Nobody knows whether the people profiled in these books fairly represent the hacker population at large. Nonetheless, they are interesting and may be helpful for perspective in discussions of computer crime.

Compiled by Will Garside

Copyright (c) 1998 ICSA


Read more on IT risk management