dcsimg
RealTime IT News

FBI: Online Crime Losses Down, Attacks Up

UPDATED: Average losses from cybercrime declined dramatically in 2004, according to a new report from the FBI.

But Web site incidents, such as denial of service attacks, also rose between 2003 and 2004, as did unauthorized access incidents at Web sites involved in the report.

The 2005 CSI/FBI Computer Crime and Security Survey, produced by the Computer Security Institute (CSI) and San Francisco FBI's Computer Intrusion Squad, said the average dollar loss per survey respondent from a security breach was $204,000 in 2004.

That's a 61 percent drop from the previous year's figure of $526,000. Overall, 639 survey respondents were "willing and able" to estimate their losses, which rang up a total of just over $130 million.

The leading cause of financial loss: viruses, judging by the losses incurred, which talled at $42.8 million, or 32 percent of all reported losses.

Unauthorized access came in second at $31.2 million in total reported losses, representing 24 percent of all reported losses.

Unauthorized access skyrocketed by almost six fold year-over-year, from a reported $51,545 in losses in 2003 to $303,234 in 2004, a rise of 488 percent.

Theft of proprietary info was the third leading cause of financial loss at $30.9 million and also reported a significant average dollar loss per respondent increase to $355,552 in 2005, up from $168,529 in 2004 -- or 111 percent.

Rounding out the survey's list of dollar losses by type were: Denial of service ($7.3 million), insider 'Net abuse ($6.9 million), Laptop theft ($4.1 million), financial fraud ($2.6 million), misuse of a public Web application ($2.2 million), system penetration ($841,000), abuse of wireless network ($545,000), sabotage ($341,000), telecom fraud ($242,000) and Web site defacement ($115,000).

According to the report, one of the most dramatic findings from the survey was the marked increase in Web site incidents, such as the ones cited in the above paragraph.

Ninety five percent of respondents reported more than 10 Web site "incidents." Only 2 percent indicated they had experienced between 1 and 5 incidents. The 2004 survey found that only 5 percent had experienced more than 10 incidents and that 89 percent had experienced between 1 and 5 incidents.

Robert Richardson, editorial director of the Computer Security Institute, told explained to internetnews.com that defining a Web site incident needed a bit of leeway as well, because the survey didn't provide explicit definitions of its terms.

"I think the lion's share of such incidents are probably Web site defacements, but I think respondents would also include such things as users viewing directory listings left unintentionally viewable to outsiders, the use of Web bulletin boards for unsanctioned activities (such as transmitting pornography), and hacking that enabled outsiders to place their own Web pages on the server (as phishers sometimes do)," he said in an e-mail exchange.

Most of the incidents reported in the survey were of a "nuisance" level and don't result in significant financial losses, Richardson added.

"Because the losses aren't great, security efforts are focused elsewhere and so there's been, it would seem, a significant growth in hackers slipping past the defenses in this particular area. One area of concern, though, is this issue of identity fraudsters using otherwise legitimate enterprise Web sites to store their own fake bank pages and the like. Obviously, this is something we'd all like to put an end to.

The bottom line from the survey is that individual users are more exposed to computer crime than ever, due to the growth in identity theft schemes, said CSI Director Chris Keating.

"With the press and the public paying more and more attention as identity theft becomes a vital societal issue, we can't help but note the shift in the survey results toward more financial damage due to theft of sensitive company data. This is an ominous, though not unexpected, development and underscores the need to insist that enterprise networks be properly safeguarded."