Contact Join Member Login
Home » Resources » CSIA Data Compilation

CSIA Compilation of Data Sources for Information on Cyber Security Issues

When researching cyber security issues, one quickly learns there is no single source of information on either the scope of the problem or its impact. While a lot of important studies have been conducted by both industry and government, finding needed statistical information can be a challenge because there is no complete listing of reliable information on attack trends and vulnerabilities, the economic and consumer impact of data breaches and cyber crime, and other relevant industry data. To assist both our member companies and the broader public, CSIA has compiled a list of known sources of information and statistics on topics related to cyber security. As one might imagine, this list is not complete or comprehensive, but should provide an extensive roadmap for the user.

Attack Trends

Symantec Internet Security Threat Report - September 2007
Analysis of Internet threat activity from January 1 to June 30, 2007
http://www.symantec.com/enterprise/theme.jsp?themeid=threatreport

  • To meet the needs of what has become a multi-billion dollar criminal industry, the development and distribution of many malicious activities has become professionalized and commercialized over the past two years.
  • During this period, the United States accounted for 30% of all malicious activity, more than any other country.
  • During the first six months of 2007, the United States was the top country for underground economy servers, accounting for 64% of the total known to Symantec.
  • The education sector accounted for 30% of data breaches that could lead to identity theft during this period, more than any other sector. The government sector accounted for 26% of data breaches that could lead to identity theft, making it the second highest sector for this consideration.
  • Theft or loss of computer or other data-storage medium made up 46% of all data breaches that could lead to identity theft during this period.
  • 85% of credit cards advertised for sale on underground economy servers known to Symantec were issued by banks in the United States.
  • The EMEA region accounted for the highest percentage of potential infections by viruses during this reporting period, with 45% of the total. The APJ and North America regions accounted for 27% and 22% of viruses respectively, while Latin America only accounted for 6%.
  • Home users were the most highly targeted sector, accounting for 95% of all targeted attacks.
  • In-depth analyses of regional (EMEA, APJ) and government sector threat activity, as well as past editions of the Internet Security Threat Report are also available at the above Website.

IBM X-Force 2007 Mid-Year Report - August 2007
Analysis of new vulnerabilities and the status of varying threats throughout the first half of 2007
http://www.iss.net/x-force_report_images/2007/index.html

  • There were a total of 3,273 vulnerabilities entered in the first half of 2007, a 3.3 percent decrease over the first half of 2006. This is the first time that vulnerability disclosure numbers have decreased in the first half of the year in the history of the X-Force database.
  • The U.S. continues to lead the world as the final Web destination for products promoted through spam e-mail messages. The U.S. hosts more than one third of spam-related Web sites.
  • Europe now accounts for the largest source of phishing e-mail, with Spain counting for 17.9 percent of the world-wide volume alone.
  • The largest threat category of malware so far in 2007 is Trojans - 61,161 varieties accounting for 28 percent of all malware.

RSA/EMC Online Fraud Intelligence Reports - Monthly
Analysis of phishing activity and trends
http://www.rsa.com/phishing_reports.aspx

  • Each month the RSA Anti-Fraud Command Center (AFCC) issues its Phishing Intelligence Report with key statistics from its global phishing repository. The reports also include trend analysis derived from the expertise of the AFCC fraud analysts.
The AFCC is a 24x7 war-room that detects, monitors, tracks and shuts down phishing, pharming and Trojan attacks against over 60 institutions worldwide. The AFCC has shut down over 10,000 phishing attacks and is a key industry source for information on phishing and emerging online threats. The reports may be reviewed for your own benefit, and you are welcome to reuse the information and distribute it further as well - RSA only asks that when reusing the information, it be attributed to the RSA Anti-Fraud Command Center as the source.

Sophos Security Threat Report - July 2007
Analysis of Internet threat data from January - June 2006
http://www.sophos.com/pressoffice/news/articles/2007/07/securityrep.html

  • Total number of different malware threats Sophos protected against: 257,313
  • New pieces of malware detected by Sophos: up 24 percent at 49,629
  • Top malware-hosting country: China, which has supplanted the US
  • The proportion of e-mail with infected attachments: 1 in 322
McAfee(R) Virtual Criminology Report – November 2007
Analysis of emerging global cyber security trends, with input from NATO, the FBI, SOCA and experts from leading groups and universities
http://www.mcafee.com/us/research/criminology_report/default.html
  • Governments and allied groups are using the Internet for cyber spying and cyber attacks
  • Targets include critical national infrastructure network systems such as electricity, air traffic control, financial markets and government computer networks
  • 120 countries are now using the Internet for Web espionage operations
  • Cyber assaults have become more sophisticated in their nature, designed to specifically slip under the radar of government cyber defenses
  • Attacks have progressed from initial curiosity probes to well-funded and well-organized operations for political, military, economic and technical espionage
  • Experts believe a sustained cyber attack on banks could severely damage public trust in online banking and put the brakes on e-commerce. Critics believe the efforts to address online banking security will not be effective enough or fast enough.

F-Secure 2007 Data Security Wrap-Up – December 2007
Analysis of threat data from July-December 2007
http://www.f-secure.com/2007/2/

  • At the start of 2007 — our number of malware detections equaled a quarter-million. At the end of 2007, the estimates are to be equal to half-a-million.
  • There was a great deal of volume seen during 2007. Malware authors are producing variants in bulk. Genuine innovation appears to be on the decline and is currently being replaced with volume and mass-produced kit malware. But while new techniques weren't developed — the existing techniques were refined and adapted for much greater effectiveness.
  • F-Secure predicts the increase in malware volume will continue in 2008. The criminals are successfully creating a network-based underground ecosystem, trading malware development tools, skills, capabilities and resources ever more effectively. At the same time the reach of the law enforcement agencies remain limited in the global network domain. 2008 will be a challenge of endurance.
  • The vulnerability of large databases containing personal data has become an issue with several major leaks reported during the year including tens of millions of e.g. credit card numbers or bank account information. Such leaks enable so called "spear phishing" attacks with very well targeted information. The increased popularity of social networking services carries similar risks.
  • Understandably financial transactions remain a favorite target for network crime. The amount of phishing sites continues to increase, but as bank customers have become more aware of this threat the criminals have started employing more sophisticated techniques.

Economic and Business Impact

2007 Annual Study: Cost of a Data Breach, Conducted by the Ponemon Institute for PGP Corporation and Vontu, Inc. - November 2007
Examination of the costs incurred by 35 U.S. organizations after experiencing a data breach
http://www.pgp.com/downloads/research_reports/ponemon.html

  • Data breach incidents cost companies $197 per compromised customer record in 2007, compared to $182 in 2006.
  • Lost business opportunity, including losses associated with customer churn and acquisition, represented the most significant component of the cost increase, rising from $98 in 2006 to $128 in 2007 – a 30% increase.
  • Average total per-incident costs in 2007 were $6.3 million, compared to an average per-incident cost of $4.8 million in 2006.
  • The cost of lost business increased by 30% to an average of $4.1 million in 2007, approximately two-thirds of the average total cost per incident.
  • Breaches by third-party organizations such as outsourcers, contractors, consultants and business partners were reported by 40% of respondents, up from 29% in 2006. Breaches by third parties were also more costly than breaches by the enterprise itself, averaging $231 compared to $171 per record.
  • Notification costs fell 40 %, decreasing from $25 per customer in 2006 to $15 in 2007, suggesting a more measured, less reactive breach response.

12th Annual CSI Computer Crime and Security Survey - September 2007
Survey of 494 computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions and universities
http://www.gocsi.com/forms/csi_survey.jhtml

  • The average annual loss reported by U.S. companies more than doubled, from $168,000 in last year's report to $350,424 in this year's survey. This ends a five-year run of lower reported losses.
  • Financial fraud overtook virus attacks as the source of the greatest financial loss.
  • Almost one-fifth of those respondents who suffered one or more kinds of security incident said they'd suffered a "targeted attack," i.e. a malware attack aimed exclusively at their organization or at organizations within a small subset of the general population.
  • Insider abuse of network access or e-mail (such as trafficking in pornography or pirated software) edged out virus incidents as the most prevalent security problem, with 59% and 52% of respondents reporting each respectively.
  • When asked generally whether they'd suffered a security incident, 46% of respondents said yes, down from 53% last year and 56% the year before.

2005 FBI Computer Crime Survey - January 2006
Survey of more than 2,000 U.S. public and private sector organizations
http://www.fbi.gov/page2/jan06/computer_crime_survey011806.htm

  • $67.2 billion: projected annual loss to U.S. organizations because of computer crime in 2005.
  • Over 64% of the respondents incurred a loss. Viruses and worms cost the most, accounting for $12 million of the $32 million in total losses.
  • Nearly nine out of 10 organizations experienced computer security incidents in a year's time; 20% of them indicated they had experienced 20 or more attacks.
  • Just 9% said they reported incidents to law enforcement, believing the infractions were not illegal or that there was little law enforcement could or would do. Of those reporting, however, 91% were satisfied with law enforcement's response.

Garlik UK Cybercrime Report - September 2007
Research report conducted by criminologists from 1871 Ltd. that draws on a wide range of available sources
https://www.garlik.com/press/Garlik_UK_Cybercrime_Report.pdf

  • There were an estimated 1.9 million incidents of cybercrime committed in the UK in 2006, or about one every 10 seconds. These incidents were defined as "offences against the person including abusive or threatening emails, false or offensive accusations posted on websites and blackmail perpetrated over the internet."
  • 90% of cybercrimes go unreported with victims deterred from coming forward as they wrongly believe the activity is not criminal or that the police will be unable or unwilling to investigate.
  • The lack of a clear, legal definition for cybercrime and therefore the absence of consistent reporting systems are cited as key factors hindering the investigation of e-crime in the UK.
  • The potential of the Internet to facilitate crime is increasingly a matter for public concern.
  • Cyber crimes are just as prevalent as traditional crimes. In 2006 the incidents of online financial fraud doubled the number of robberies taking place.
  • The proportion of identity theft/fraud facilitated online is expected to increase throughout 2007 as a result of the increasing technical sophistication and organisation of fraudsters and the increasing amount of identity information that may be gathered from online sources.

DataGate: McAfee and Datamonitor Global Survey on Impact of Data Loss - April 2007
Survey of more than 1,400 IT professionals at companies with at least 250 employees in the United States, the United Kingdom, France, Germany and Australia
http://www.mcafee.com/us/enterprise/products/promos/data_loss_protection/default.html

  • A data breach that exposed personal information would cost companies an average of $268,000 to inform their customers-even if the lost data is never used 
  • 23% of respondents were able to estimate the total annual cost of data leakage, and the average figure they gave was $1.82 million 
  • 33% of respondents said they believe a major data loss incident involving accidental or malicious distribution of confidential data could put them out of business.
  • 60% of respondents said they had experienced a data breach in the past year

Deloitte 2007 Global Security Survey - September 2007
Survey of IT Executives at Top Global Financial Services Institutions
http://www.deloitte.com/dtt/research/0,1002,sid=1013&cid;=170582,00.html

  • Less than two-thirds (63%) of respondents to the survey have an information security strategy. Only 10% of this year's respondents have their information security led by business line leaders. These findings support an emerging security paradox: the gap between awareness of the problem and support for the solution.
  • Email attacks top the list of external security breaches financial institutions experienced over the past 12 months (57%).
  • Two-thirds (66%) of respondents do not feel they should be accountable for protecting the computer of customers who bank on-line.
  • Virtually all respondents (98%) indicate increased security budgets, but 35% feel that their investment in information security is lagging behind business needs. "
  • Shifting priorities" and "integration problems" were identified as top reasons for information security projects failure (48% and 32%, respectively).

Ernst & Young Global Information Security Survey 2006 - June 2006
Survey of executives in nearly 1,200 organizations in 48 countries
http://www.ey.com/global/content.nsf/International/Assurance_&_Advisory_-_Technology_and_Security_Risk_-_Global_Information_Security_Survey_2006

  • 56% of companies cited compliance with regulations as having the most significant impact on their information security practices 
  • 47% of companies surveyed cited privacy and data protection as having the most significant impact on their information security practices 
  • 52% of companies surveyed have formal procedures addressing privacy and personal data protection

APACS Data, March 2007
UK fraud data collected by the UK payments association
http://www.apacs.org.uk/media_centre/press/07_14_03.html

  • Online banking fraud increases from £23.2m in 2005 to £33.5m in 2006
  • Card-not-present (phone/Internet/mail) fraud losses increased by 16 percent to £212.6m over the last year and now account for just under 50% of all card fraud losses.

Network Attacks: Analysis of Dept. of Justice Prosecutions 1999-2006 - August 2006
An analysis of U.S. Department of Justice cases
https://forms.phoenix.com/cybercrime/docs/cyberdoc.pdf

  • Average financial loss was more than $3M per case 
  • Individual attacks caused as much as $10M in damages to individual organizations 
  • Organizations suffered the greatest financial loss and damage, more than $1.5M per occurrence, when attackers used stolen IDs and passwords 
  • Largest damages to organizations caused by attackers logging onto privileged user or administrator accounts where a small number of authorized computers were sanctioned to perform work 
  • Most crimes, 84%, could have been prevented if the identity of the computers connecting were checked in addition to user IDs and passwords 
  • Losses from stolen IDs and passwords far exceeded damages from worms, viruses and other attack methods not utilizing logon accounts 
  • Vast majority of attackers, 78%, committed crimes from their home computers; most often using unsanctioned computers with no relationship to the penetrated organization

Ferris Research's The Cost of Spam 2007 - 2007
Market research firm analysis
http://www.ferris.com/research-library/industry-statistics/

  • Ferris Research estimates that in 2007 spam will cost a total of $100 billion worldwide, of which $35 billion is in the U.S. When compared to Ferris Research's 2005 estimates of $50bn/$19bn, it is noted that the cost of spam has doubled over 24 months. The main components of the cost are:
    • Productivity loss from inspecting and deleting spam that gets missed by spam control products (false negatives)
    • Productivity loss from searching for legitimate email deleted in error by spam control products (false positives) 
    • Operations and helpdesk running costs

Fifth Annual Global State of Information Security from CIO, CSO and PricewaterhouseCoopers - August 2007
Worldwide survey of 7,200 IT, security and business executives across industries
http://www.pwc.com/extweb/pwcpublications.nsf/docid/114E0DE67DE6965385257341005AED7B

  • Most companies now have a chief security officer - 60% in 2007 compared to 43% in 2006 -- and just over half now have an overall information strategy, up from 37% last year.
  • One of the areas of the world where the focus on information security has intensified is Latin America, specifically Brazil and Mexico. Researchers and law enforcement believe that cultural differences in acceptance of less-secure online transaction methods and fewer controls and regulations on banking activity have made the region the banking center of choice for the Internet criminal underground. 
  • 21% of CSOs/CISOs/Infosec Directors believe their organizations are not in compliance with state privacy breach laws, compared to 10% of CEOs and 12% of CIOs. 
  • 67% of respondents do not keep an accurate inventory of where data is stored. 
  • The study offers industry-specific results for the following sectors: Aerospace & Defense; Energy; Entertainment & Media; Financial Services; Government & Public Sector; Healthcare Payor; Healthcare Provider; Pharmaceuticals; Retail & Consumer; Telecommunications; and Utilities.

Websense 2007 SMB State of Security Survey - August 2007
Survey of 450 IT managers and employees within the United States
http://www.websense.com/smb/dl-survey.php

  • IT security managers say the top risks to their business include employees clicking on email links from unknown sources (74%), employees sending company email to the wrong address (53%), and employees accidentally or deliberately accessing adult Web sites (50%). Alarmingly, 73% of SMB employees admit to at least one of these high-risk activities with their work-owned computer, 54% admit more than one, while 27% admit three or more.
  • 99% of SMB IT managers feel their company is protected to some degree from exposure to Internet security threats. But only 22% say they feel 100% protected - meaning 78% do not. Additionally, 20% of SMBs do not use Internet security software other than firewall and anti-virus products
  • Confidence levels in IT security are high among SMB employees, with 41% confident that their IT department protects them from every Internet security threat. However, 45% say they have some level of protection but admit they are not sure what is protected. Another 12% of employees say they do not know if their work PC is protected.
  • The average length of time that employees have continued to use their work PCs before security is updated is 21.2 days. Only 4% of employees have daily security updates on their work PC, while 11% have never updated security on their work PC.

Consumer Impact

CSIA Digital Confidence Index Survey - May 2006
Survey of 1,150 U.S. adults
https://www.csialliance.org/publications/publications/surveys_and_polls/dci_survey_May2006/

  • Fewer than one in five Americans feel that existing laws are enough to protect them on the Internet. 
  • Voters express a clear preference for strong federal data security legislation even when presented with the argument that it will result in unwanted notices and higher prices with 70% of likely voters agreeing that Congress should pass a strong data security law. 
  • Nearly half (46%) of likely voters who think that Congress should pass a strong data security law report that they would have serious doubts about a candidate that opposes swift action. 
  • Only 44% of Americans feel their information is safe when engaging in e-commerce and 50% avoid making purchases online because they are afraid their financial information will be stolen. 
  • Only a third (34%) of Americans feels that banking online is as safe as banking in person. 
  • 94% of Americans feel that identity theft is a serious problem. 
  • Only 24% of Americans say that businesses are placing the right emphasis on protecting information systems and networks.

2007 Consumer Survey on Data Security, Conducted by Ponemon Institute for Vontu - June 2007
Survey of 768 U.S. adults
http://www.vontu.com/consumersurvey/

  • 62% of respondents have been notified that their confidential data has been lost or stolen. 
  • 84% of respondents who were notified reported increased concern or anxiety due to data loss events. 
  • 62% of respondents said that they would be more upset with a company that lost their information due to negligence than if that company lost their information as the result of a criminal enterprise or theft. 
  • 36% of respondents stated that they would not use their credit or debit card to make a purchase with a Web merchant they don't know. Respondents who have received notification are more cautious when sharing their credit card (43% vs. 32%) and debit card (44% vs. 32%). In other words, findings suggest that breach notification may affect consumer behavior. 
  • 45% said they would not provide their Social Security number on a Web site.

Center for Identity Management & Information Protection (CIMIP) Identity Fraud Trends and Patterns: Building a Data-Based Foundation for Proactive Enforcement - October 2007
Funded by a grant from the Bureau of Justice Assistance, this project is an assessment of closed United States Secret Service cases (2000-2006) which have an identity theft/fraud component.
http://www.utica.edu/academic/institutes/cimip/publications/index.cfm?action=submit

  • The median actual dollar loss per identity theft case was $31,356.
  • Most of the offenders - 42.5% -- were between 25 and 34 years of age at the time that the case was opened.
  • The most prevalent motive of the offenders was personal gain. It took several forms including using fraudulently obtained personal identifying information to:
    •  Obtain and use credit o Procure cash o Conceal actual identity
    • Apply for loans to purchase motor vehicles
  • Organized group activity was discerned in 42.4% of the cases - involving from 2- 45 offenders.
  • In approximately half of the cases, the Internet and/or other technological devices were used in the commission of the crime.
    • Within the half with no use of the Internet or technology, non-technological methods, such as change of address and dumpster diving, were used in 20% of the cases.
  • Over a third (37.1%) of the victims were financial industry organizations: banks, credit unions, and credit card companies.
  • Individuals accounted for 34.3% of the victims.
  • 21.3% of the victims were retail businesses (stores, car dealerships, gas stations, casinos, restaurants, hotels, hospitals, doctors' offices).

Consumer Reports State of the Net 2007 - September 2007
U.S. nationally representative survey of more than 2000 American households conducted by the Consumer Reports National Research Center
http://www.consumerreports.org/cro/electronics-computers/computers/internet-and-other-services/net-threats-9-07/overview/0709_net_ov.htm?resultPageIndex=1&resultIndex;=1&searchTerm;=%22state%20of%20the%20net

  • The estimated cost of cybercrime to U.S. consumers is more than $7 billion, up from last year's estimate of $5.2 billion.
  • 1 in 4 consumers face a chance of becoming a victim of cyberfraud. 
  • 8% of respondents fell prey to phishing scams. 
  • 38% reported a consumer virus infection in the past two years, with 34% reporting a spyware infection in the past six months. 
  • An estimated 1.8 million households replaced their PCs in response to virus infections, with an estimated 850,000 households replacing their PCs in response to spyware infections in the past six months. 
  • About 17% of respondents didn't have antivirus software installed. 
  • A projected 3.7 million households with broadband still lack a firewall. 
  • Wireless users face additional risks. Half of those who use their home computer with a wireless router didn't take basic precautions such as enabling encryption.

National Cyber Security Alliance & Bank of America: Online Fraud Report - May 2006
Survey of 1,055 U.S. adults
http://staysafeonline.org/news/onlinefraudreportfinal.pdf

  • Roughly eight in 10 Americans who use the Internet conduct online financial transactions such as online banking, stock transactions or filing taxes.
  • Two-thirds of consumers who conduct online financial transactions are extremely or very concerned about giving their personal or financial information to a fake Web site and having hackers steal financial information from their computer.
  • 74% of Americans don't believe using only an ID and password to log-in is extremely or very safe. More than 68% of respondents are extremely or very willing to try additional layers of login security, such as answering personal questions about themselves to confirm their identity. 
  • More than four out of five people polled believe that the responsibility of limiting and preventing online fraud is equally shared by the legitimate Web site, themselves and Internet service providers. 
  • More than 80% of consumers understand that not opening unsolicited e-mails, using the proper security software (anti-virus, anti-spyware and a firewall) and keeping security software updated are all ways to prevent Internet fraud. However, according to the 2005 AOL/NCSA Online Safety Study, 80% of consumers do not practice most of these key security measures.
  • Even though 87% of respondents feel extremely or somewhat confident in their ability to recognize a fake email, 61% of them failed to correctly identify a real or legitimate email.
  • 67% of respondents failed to correctly identify a secure and safe web site. Moreover, 58% of respondents are vulnerable to dealing with unsecured and unsafe web sites, because they rely on symbols like "padlocks" to tell them that a site is secure.

McAfee-NCSA Online Safety Study - October 2007
Survey of 378 U.S. respondents. These respondents first provided their feedback to a telephone survey and then participated in a remote scan conducted by Support.com which collected the type of security software installed and the operating systems on the respondents' computers.
http://download.mcafee.com/products/manuals/en-us/McAfeeNCSA_Analysis09-25-07.pdf?cid=36665

  • While nearly every survey respondent (98%) acknowledged the importance of having up to date security on their computer, nearly half of all scanned computers (48%) had not been updated within the month
  • 54% had been hit with a virus
  • 44% thought they were infected with spyware
  • While 81% have a firewall installed on their computer, only 64% actually activated this anti-hacker protection
  • While 70% of respondents say they have anti-spyware software, 55% actually did
  • While 27% say they have anti-phishing protection, 12% actually do

Internet Crime Complaint Center (IC3 ) 2006 Internet Crime Report - 2007
Compilation of information on complaints received and referred by the IC3 to law enforcement or regulatory agencies for appropriate action.
http://www.ic3.gov/media/annualreport/2006_IC3Report.pdf

  • In 2006, IC3 processed more than 200,481 complaints that support Internet crime investigations by law enforcement and regulatory agencies nationwide.
  • The total dollar loss from all referred cases of fraud was $198.44 million with a median dollar loss of $724.00 per complaint. This is up from $183.12 million in total reported losses in 2005.
  • Of those individuals who reported a dollar loss, the highest median losses were found among Nigerian letter fraud ($5,100), check fraud ($3,744), and other investment fraud ($2,695) complainants.
  • Electronic mail (e-mail) (73.9%) and webpages (36.0%) were the two primary mechanisms by which the fraudulent contact took place.

Javelin Strategy & Research 2007 Identity Fraud Survey Report - February 2007
Survey of 5,000 U.S. adults
http://www.javelinstrategy.com/idf2007

  • Identity fraud in 2006 dropped by an estimated 12% over the previous year, from $55.7 billion to $49.3 billion.
  • Approximately 500,000 fewer adults in the United States fell victim to identity fraud in 2006 than in 2005. Of America's overall adult population, 3.7% were victims, as compared to 4.0 percent in 2005.
  • The overall adult population of the United States reported a fraud rate of 3.7 percent. Younger adults between 18 and 24 reported a much greater incident rate of 5.3%.
  • Americans with the lowest income surveyed - those earning $15,000 or less - are least likely to be victims of identity fraud, with only 2.8 percent reporting cases. Americans with incomes of more $150,000 per year are the most likely to be victimized (7.3% reporting abuses).
  • When the lowest income population is victimized, misuse lasts twice as long and the fraud is the hardest to uncover, taking on average 70% longer to detect than fraud in higher income populations. These victims spent 75%, or 44 hours on average, more time resolving the fraud.

Survey of 649 respondents in corporate information technology (IT) departments within U.S. and EMEA based business or governmental organizations.
http://www.appsecinc.com/resources/whitepapers/Ponemon-Brief-6-2007/index.shtml

  • 40% said their organizations don't monitor their databases for suspicious activity, or don't know if such monitoring occurs. Notably, more than half of these organizations have 500 or more databases - and the number of databases is growing. "Trusted" insiders' ability to compromise critical data was cited as the most serious concern - with 57% perceiving inadequate protection against malicious insiders and 55% for "data loss" by internal entities.
  • 78% believe that databases are either critical or important to their business. Customer data represents the most common data type contained within these databases.
  • Customer/consumer and employee data ranks 3rd and 4th respectively in regard to organizations' prioritization of what must be protected.

Other Resources

Privacy Rights Clearinghouse
The Privacy Rights Clearinghouse maintains a chronological list of U.S. data breaches dating back to April 2005. According to the site, more than 150 million records of personal information have been compromised.
http://www.privacyrights.org/ar/ChronDataBreaches.htm

US-CERT: United States Computer Emergency Readiness Team
The United States Computer Emergency Readiness Team (US-CERT) is a partnership between the Department of Homeland Security and the public and private sectors. US-CERT interacts with federal agencies, industry, the research community, state and local governments, and others to disseminate reasoned and actionable cyber security information to the public.
http://www.us-cert.gov/

CERT Coordination Center (CERT-CC)
CERT/CC, located within the Carnegie Mellon University' Software Engineering Institute, provides technical information on information on security vulnerabilities. http://www.cert.org/cert/

SANS Institute
SANS Institute, an information security training, certification and research organization, offers a collection of research documents on various aspects of information security, including a list of the Internet's Top 20 Most Critical Internet Security Vulnerabilities.
http://www.sans.org/free_resources.php

Common Vulnerabilities and Exposures
A list or dictionary that provides common names for publicly known information security vulnerabilities and exposures that is maintained by MITRE Corporation.
http://cve.mitre.org/

DOJ/DHS National Computer Security Survey (NCSS)
The NCSS is being fielded and sent to thousands of businesses across 37 industry sectors, including critical infrastructure. The NCSS collects data on: the nature and extent of computer security incidents; monetary costs and other consequences of these incidents; incident details such as types of offenders and reporting to authorities; and computer security measures used by companies. The goal of the NCSS is to produce reliable national and industry-level estimates of the prevalence of computer security incidents (such as denial of service attacks, fraud, or theft of information) against businesses and the resulting losses incurred by businesses.
http://www.ncss.rand.org/

*Results not yet reported.

GAO Report: Cybercrime: Public and Private Entities Face Challenges in Addressing Cyber Threats - June 2007
http://www.gao.gov/docsearch/abstract.php?rptno=GAO-07-705

Computer interconnectivity has produced enormous benefits but has also enabled criminal activity that exploits this interconnectivity for financial gain and other malicious purposes, such as Internet fraud, child exploitation, identity theft, and terrorism. Efforts to address cybercrime include activities associated with protecting networks and information, detecting criminal activity, investigating crime, and prosecuting criminals. GAO's objectives were to (1) determine the impact of cybercrime on our nation's economy and security; (2) describe key federal entities, as well as nonfederal and private sector entities, responsible for addressing cybercrime; and (3) determine challenges being faced in addressing cybercrime. To accomplish these objectives, GAO analyzed multiple reports, studies, and surveys and held interviews with public and private officials.

GAO Report: Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown - June 2007
http://www.gao.gov/docsearch/abstract.php?rptno=GAO-07-737

In recent years, many entities in the private, public, and government sectors have reported the loss or theft of sensitive personal information. These breaches have raised concerns in part because they can result in identity theft--either account fraud (such as misuse of credit card numbers) or unauthorized creation of new accounts (such as opening a credit card in someone else's name). Many states have enacted laws requiring entities that experience breaches to notify affected individuals, and Congress is considering legislation that would establish a national breach notification requirement. GAO was asked to examine (1) the incidence and circumstances of breaches of sensitive personal information; (2) the extent to which such breaches have resulted in identity theft; and (3) the potential benefits, costs, and challenges associated with breach notification requirements. To address these objectives, GAO reviewed available reports on data breaches, analyzed 24 large data breaches, and gathered information from federal and state government agencies, researchers, consumer advocates, and others.

UK House of Lords - Report on Personal Information Security - August 2007
The House of Lords Science and Technology Committee have highlighted the threat to the future of the Internet posed by e-crime, and have argued that the Government must do more to protect individual Internet users. http://www.publications.parliament.uk/pa/ld200607/ldselect/ldsctech/165/16502.htm

European Network and Information Security Agency (ENISA) Position Paper – Botnets: The Silent Threat – November 2007
This ENISA report examines the rising problem of botnets by describing "the reasons for concern, the infection vectors of bots, the motivation of their creators and expected trends." The report's authors urge "a significant effort by private and public stakeholders in the information society to counter this threat," noting that such an effort will require close cooperation among multinational law enforcement agencies, ISPs and private companies. Concluding that the botnet threat is "a steadily increasing problem threatening governments, industries, companies and individual users with devastating consequences," the report includes a series of recommended actions. Those include increased prosecution of cyber crime, increased international cooperation and increased public education efforts so that the broader public understands the threat. A full copy of the report is available at http://enisa.europa.eu/doc/pdf/deliverables/enisa_pp_botnets.pdf

International Telecommunications Union (ITU)
With its 191 Member States and more than 700 Sector Members and Associates, ITU is uniquely placed to seek consensus on a framework for international cooperation in cybersecurity. Its membership includes the Least Developed Countries, the developing and emerging economies, and the industrialized countries. ITU, therefore, provides the preeminent forum where the diverse views about cybersecurity and cybercrime, including those of the private sector, can be discussed, with the goal of arriving at a common understanding amongst all the concerned parties and how those issues could be addressed globally and effectively.

Moreover, the known mandate of ITU in the standardization and development of telecommunications was recognized when world leaders appointed ITU as moderator/facilitator for WSIS Action Line C5. This acknowledgment reinforces ITU as an ideal forum for developing and putting into action solutions aimed at addressing the global challenges of cybersecurity.
http://www.itu.int/osg/csd/cybersecurity/gca/

Microsoft TechNet Security Center
The TechNet Security Center provides links to technical bulletins, advisories, updates, tools, and prescriptive guidance designed to help keep Microsoft servers, desktops, and applications up to date and secure. It includes Microsoft's monthly security bulletins.
http://www.microsoft.com/technet/security/default.mspx

National Cyber Security Alliance
The National Cyber Security Alliance (NCSA) is a collaborative effort among experts in the security, non-profit, academic and government fields to teach consumers, small businesses and members of the education community about Internet security. The NCSA aims to increase awareness about the risks associated with using Internet technologies and how to help protect against them, while also providing free tips, checklists and best practices for remaining safe while online.
www.staysafeonline.org

Center for Identity Management and Information Protection (CIMIP)
The Center for Identity Management and Information Protection at Utica College is a research collaborative dedicated to furthering a national research agenda on identity management, information sharing, and data protection. Founded in June 2006, its ultimate goal is to impact policy, regulation, and legislation, working toward a more secure homeland. CIMIP's partners, LexisNexis, IBM, TransUnion, United States Secret Service, United States Marshal Service, Federal Bureau of Investigation, Utica College, Carnegie Mellon University, Indiana University, and Syracuse University, are committed to working together to provide resources, gather subject matter experts, provide access to sensitive data, and produce results that will be put into action in the form of best practices, new policies, regulations, and legislation, training opportunities, and proactive initiatives for solving the growing problems of identity fraud and theft, secure sharing of information, and information protection.
www.cimip.org

Websense 2008 Security Predictions – December 2007
Information security company Websense issued its annual security predictions for 2008—with content-based threats topping the list. Specifically, the Websense® Security Labs™ expects: the Olympics will spur a flurry of hacker activity such as compromises of popular Olympic news or other sports sites; hackers will leverage the increased adoption of Macs and iPhones as new means for cross-platform Web attacks; special interest groups that fall within a certain age group, wealth bracket, or people with particular purchasing habits, will become targets of Web 2.0 attacks; and spam will increase in the blogosphere and "talk back" sections of news sites to drive traffic and increase search engine rankings of infected Web sites. More information can be found at: http://www.websense.com/global/en/PressRoom/PressReleases/PressReleaseDetail/index.php?Release=0712051539

This listing was compiled by the Cyber Security Industry Alliance (CSIA).
www.csialliance.org
December 2007