SEI Press Release

2004 E-Crime Watch Survey Shows Significant Increase in Electronic  Crimes
  2003 E-Crime Losses Estimated At $666 Million
  May 25, 2004

FRAMINGHAM, MA—The 2004 E-Crime Watch survey conducted among security  and law enforcement executives by CSO magazine in cooperation with  the United States Secret Service and the Carnegie Mellon University Software  Engineering Institute’s CERT^® Coordination Center, shows  a significant number of organizations reporting an increase in electronic crimes  (e-crimes) and network, system or data intrusions. Forty-three percent (43%)  of respondents report an increase in e-crimes and intrusions versus the previous  year and 70% report at least one e-crime or intrusion was committed against  their organization. Respondents say that e-crime cost their organizations approximately  $666 million in 2003. However, 30% of respondents report their organization  experienced no e-crime or intrusions in the same period.

E-Crimes Impact
When asked what types of losses their organizations experienced last year, over  half of respondents (56%) report operational losses, 25% state financial loss  and 12% declare other types of losses. The average number of individual e-crimes  and intrusions is 136. However, a third (30%) of respondents did not experience  e-crime or intrusions, while a quarter (25%) experienced fewer than ten. Interestingly,  32% of respondents do not track losses due to e-crime or intrusions. Of those  who do track, half say they do not know the total amount of loss. Forty-one  percent (41%) of respondents indicate they do not have a formal plan for reporting  and responding to e-crimes, demonstrating room for improvement. Slightly more  than half (51%) state their organization has a formal process in place to track  e-crime attempts. Additionally, respondents indicate a higher degree of familiarity  with local and national e-crime laws (39% and 33% respectively), but know little  about applicable international laws (8%).

“The increase in e-crime over the past year again demonstrates the need  for corporate, government and non-governmental organizations to develop coordinated  efforts between their IT and security departments to maximize defense and minimize  e-crime impact,” says Bob Bragdon, Publisher of CSO magazine.  “There is a lot of security spending going on, but not much planning.  It’s essential for chief security officers and information technology  pros to find the most manageable, responsive and cost effective way to stop  e-crime from occurring,” Bragdon added.

Who are the Criminals?
Nearly a third (30%) of respondents in organizations experiencing e-crimes or  intrusions in 2003 do not know whether insiders or outsiders were the cause.  Respondents who do know report that an average of 71% of attacks come from outsiders  compared to 29% from insiders. Regarding the source of the greatest cyber security  threat, hackers were most frequently cited (40%) followed closely by current  or former employees or contractors (31%). When it comes to identifying specific  types of e-crimes committed against organizations, the survey shows 36% of respondents  organizations experienced unauthorized access to information, systems or networks  by an insider compared to 27% committed by outsiders. Both sabotage and extortion  are committed equally by insiders and outsiders for organizations responding  to the survey.

Monitoring & Reporting
Eighty percent (80%) of respondents report they monitor their computer systems  or networks for misuse and abuse by employees or contractors. Ninety-five percent  (95%) of respondents say they use some type of employee monitoring (e.g., internet,  email, files) to deter e-crime. Thirty-six percent (36%) report using employee  monitoring to terminate an employee or contractor for illegal activities. Seventy-two  percent (72%) of respondents require internal reporting of misuse or abuse of  computer access by employees or contractors. However, just under half (49%)  of respondents say intrusions are handled with the help of law enforcement or  by taking other legal action.

“Many companies still seem unwilling to report e-crime for fear of damaging  their reputation,” says Larry Johnson, Special Agent in Charge, Criminal  Investigative Division, United States Secret Service. “However, as we  see with this survey, ignoring the problem or dealing with it quietly is not  working. The question is not why can’t we stop these criminal acts from  happening, but rather, why are we allowing them to take place? The technology  and resources are there to effectively fight this. We just need to work smarter  to do it.”

Best Practices
The most common technologies deployed to combat e-crime are firewalls used by  98% of respondents, followed by physical security systems (94%) and manual patch  management (91%). In ranking the effectiveness of various technologies, firewalls  are considered the most effective (71%), followed by encryption of critical  data in transit (63%) and encryption of critical data in storage (56%). Manual  patch management, the third most common technology in use, also holds the dubious  distinction of being rated as the single least effective technology (23%). Among  policies and procedures, conducting regular security audits is listed as the  most effective method (51%), and recording or reviewing employee phone conversations  is listed as one of the least effective (26%).

“The ineffectiveness of manual patching demonstrates the difficulty corporate  and individual users have in keeping abreast of the large number of vulnerabilities  discovered every month,” says Richard Pethia, Director of the Software  Engineering Institute’s (SEI) Networked Systems Survivability Program.  “In the long-term, we all need to work towards higher quality software,  with fewer defects in order to keep our risks at a manageable level.”

About the 2004 E-Crime Watch Survey
The 2004 E-Crime Watch survey was conducted by CSO magazine in cooperation  with the United States Secret Service and the CERT Coordination Center. The  research was conducted to unearth e-crime fighting trends and techniques, including  best practices and emergent trends.

For the purpose of this survey, an electronic crime is defined as: Any criminal  violation in which electronic media is used in the commission of that crime.  An insider is defined as: a current or former employee or contractor. An outsider  is defined as: non-employee or non-contractor. The online survey of CSO   magazine subscribers and members of the U.S. Secret Service’s Electronic  Crimes Task Force members was conducted from April 15 to April 26, 2004. Results  are based on 500 completed surveys. At a 95% confidence level, the margin of  error is +/- 4.4%.

In addition to the 2004 E-Crime Watch survey team, the following security practitioners  served as advisors to the project:

About CSO Magazine
CSO magazine is published by CXO Media Inc. In addition to CSO,  CXO Media publishes CIO magazine (launched in 1987), www.cio.com,  The CIO Insider, CSOonline.com and darwinmag.com. CXO Media serves CIOs, CSOs,  CEOs, CFOs, COOs and other corporate officers who use technology to thrive and  prosper in this new era of business. The company strives to enhance partnerships  among C-level executives, as well as create opportunities for information technology  (IT) and consumer marketers to reach them. In addition to magazines and websites,  CXO Media produces Executive Programs, a series of conferences that provide  educational and networking opportunities for corporate and government leaders.  CXO Media Inc. is a subsidiary of IDG, International Data Group (IDG), the world's  leading technology media, research and event company. A privately-held company,  IDG publishes more than 300 magazines and newspapers including Bio-IT World,  CIO, CSO, Computerworld, GamePro, InfoWorld,  Network World and PC World. The company features the largest  network of technology-specific Web sites with more than 400 around the world.  IDG is also a leading producer of more than 170 computer-related events worldwide  including LinuxWorld Conference & Expo^®, Macworld Conference  & Expo^®, COMNETR Conference & Expo, DEMO, and IDC Directions.  IDC provides global market research and advice through offices in 50 countries.  Company information is available at www.idg.com.

About CERT
The CERT^® Coordination Center (CERT/CC) is located at Carnegie Mellon University's  Software Engineering Institute in Pittsburgh, Pennsylvania, U.S.A. The Software  Engineering Institute is a Department of Defense-sponsored federally funded  research and development center. The CERT/CC was established in 1988 to deal  with security issues on the Internet. It now partners with and supports the  Department of Homeland Security's National Cyber Security Division and its US-CERT  to coordinate responses to security compromises; identify trends in intruder  activity; identify solutions to security problems; and disseminate information  to the broad community. The CERT/CC also conducts R&D to develop solutions  to security problems and provides training to help individuals build skills  in dealing with cyber-security issues.

About the Secret Service-Led Electronic Crimes Task Forces (ECTF)
The USA PATRIOT ACT OF 2001 (HR 3162, 107th Congress, First Session; October  26, 2001,
Public Law 107-56) ordered the Director of the United States Secret Service  to take appropriate actions to develop a national network of electronic crime  task forces, based on the New York Electronic Crimes Task Force model, throughout  the United States for the purpose of preventing, detecting and investigating  various forms of electronic crimes, including potential terrorist attacks against  critical infrastructure and financial payment systems.
The ECTF mission is to establish a strategic alliance of federal, state and  local law enforcement agencies, private sector technical experts, prosecutors,  academic institutions and private industry in order to confront and suppress  technology-based criminal activity that endangers the integrity of our nation’s  financial payments systems and poses threats against our nation’s critical  infrastructure. The ECTF model is built on trust and confidentiality without  regulators or other outside influences. ECTF law enforcement members develop  personal pre-incident relationships with corporate and academic ECTF members  and are educated in business concepts such as risk management, return on investment  and business continuity plans. As trained first responders to various forms  of electronic crimes, ECTF law enforcement members approach incidents with the  focus on business designs and information sharing with known corporate and academic  individuals. Currently, 15 ECTF models are proving successful in Atlanta, GA;  Boston, MA; Charlotte, NC; Chicago, IL; Cleveland, OH; Columbia, SC; Dallas,  TX; Detroit, MI; Houston, TX; Las Vegas, NV; Los Angeles, CA; Miami, FL; New  York, NY; Philadelphia, PA; San Francisco, CA; Washington, DC. The current ECTF  success models will be utilized for the additional 15 ECTFs scheduled to open  prior to 2010.

NOTE TO EDITORS: Complete findings from the 2004 E-Crime Watch  survey can be found at http://www.csoonline.com/releases/052004129_release.html.  If you report any of the data from the 2004 E-Crime Watch survey, the data must  be sourced as originating from: CSO magazine/U.S. Secret Service/CERT  Coordination Center.

Additional Contact Information
  CSO magazine
Susan Watson
508.935.4190

U.S. Secret Service
Office of Public Affairs
202.406.5708