Cybercrime Part II Tyler Moore Computer Science & Engineering - - PDF document

Cybercrime

Part II Tyler Moore

Computer Science & Engineering Department, SMU, Dallas, TX

October 25, 2012

Outline

2 / 28

Guide to analyzing data

Type of Data Exploration Statistics RByEx 1 numerical variable

2 4 6 8 0.0 0.4 0.8 ecdf(br$logbreach) x Fn(x) 2 4 6 8 log(#records breached)

• ne way t-test, Wilcox test

6.3 1 categorical variable

CARD HACK PHYS STAT 400 800

– 3.1 # categories=2 – prop.test 6.2 1 categorical, 1 numerical

• BSF

EDU 2 4 6 8 Organization Type log(#records breached) 2 4 6 8 FALSE TRUE log(#records breached) Breach type

• ●
• anova, Permutation

10 # categories=2 – 2-way t, Wilcox test, Perm. 6.4 2 categorical variables

TOH

BSF BSO BSR EDU GOV MED NGO CARD DISC HACK INSD PHYS PORT STAT UNKN

χ2 test 3.2–3.5

3 / 28

Discussion about reading

Anything surprising or interesting to talk about from the readings for Tuesday?

4 / 28

Notes Notes Notes Notes

Why measuring cybercrime is hard

Victims may be reluctant to discuss incidents Reputational risk Regulatory risk

Section 5 of the FTC Act authorizes FTC to take action against unfair or deceptive acts and practices that affect commerce SEC Disclosure Guidance on Cybersecurity Risks http://www.

sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm

Mandatory disclosure used for data breaches But what to do if affected firms don’t want to share and there’s no mandate?

5 / 28

Relying on third parties for data collection

Enlist support of disinterested third parties who observe evidence of incidents

ISPs already observe every domain name that customers try to visit Cybercriminals register domain names for purely malicious purposes (e.g., to control computers in a botnet) One can estimate the prevalence of malicious web traffic at an ISP by observing the logs of its DNS server (passive DNS)

Obtain a copy of records maintained by criminals

One group got access to fake AV records for 3 gangs, including data on conversion rates and revenues

6 / 28

Direct observation

When no one will help, one can collect data directly Monitoring IRC channels advertising goods for sale Co-opting portions of a botnet to observe spam conversion rate Google deploys automated crawlers to block websites distributing malware (found that 1.3% of incoming search queries had at least one malicious result) While these studies describe the prevalence of badness, it is hard to translate this directly to user harm There is a trade-off between comprehensiveness and precision when measuring cybercrime

7 / 28

Click trajectories data collection methodology

Source: http://www.icir.org/christian/publications/2011-oakland-trajectory.pdf 8 / 28

Notes Notes Notes Notes

Challenges in direct observation

Data that can be observed may not be representative of all crime (think public marketplaces vs. private deals) Moreover, data that can be observed may exclude the most sophisticated criminals Corollary: crimes inherently difficult to measure may go unexamined

9 / 28

Why cybercrime surveys are hard to get right

Definitions are loose and left open to interpretation (what counts as an “attack”? see next slide for example) Definitional ambiguity occurs more often in surveys of consumers than for firms Sources of measurement error for survey respondents

1

Underreport events not observed to be attacks

2

Misclassify benign events as attacks

3

Translating experience of cybercrime into dollars is hard, so reported figures may be unreliable

Only 22% of CSI survey respondents included a financial figure for cybercrime losses, not fair to extrapolate to those who didn’t report values

10 / 28

Question: Experiences with cybercrime

Cybercrimes can include many different types of criminal activity. How often have you experienced or been a victim of the following situations? Identity theft (somebody stealing your personal data and impersonating you, e.g. shopping under your name) Received emails fraudulently asking for money or personal details (including banking or payment information) Online fraud where goods purchased were not delivered, counterfeit or not as advertised Not being able to access online services (e.g. banking services) because of cyber attacks Respondents were asked to answer “often”, “occasionally”, “never”, or “don’t know”.

11 / 28

Why cybercrime surveys are hard to get right

Sample bias occurs when the set of survey respondents does not accurately represent the population being studied 2011 CSI industry survey received 6.4% response rate, and come disproportionately from large companies who invest heavily in IT security Even with a random sample, the underlying distribution is

• ften inherently skewed

2 outlier losses in CSI’s survey ($20M and $25M), while the average for the other 75 was $100K Shouldn’t discard the outliers, but can’t use the mean either Median is a more appropriate summary measure, but doesn’t capture total harm

12 / 28

Notes Notes Notes Notes

Another problem for cybercrime surveys

Many cybercrimes affect only a very small portion of the

• verall population

One study suggests that 0.4% of the Internet population falls for phishing attacks annually

Thus getting a truly random sample of the population requires sampling from a larger pool Response bias is also magnified

Victims may be more likely to respond to surveys since topic is more salient for them Victimization rate is inflated by factor matching relative response rate of victims (e.g., if victims are twice as likely to respond, then surveyed incidence will be double the true rate)

For more detail, see: http://research.microsoft.com/ apps/pubs/default.aspx?id=149886

13 / 28

How much does cybercrime cost?

Source: http://www.propublica.org/article/does-cybercrime-really-cost-1-trillion 14 / 28

How much does cybercrime cost?

15 / 28

Can such high estimates really be right?

In 2009 AT&T’s Ed Amoroso testified before the US Congress that global cybercrime profits topped $1 trillion That’s 1.6% of world GDP Detica’s figure (£27 Bn) is 2% of UK GDP Not only are the figures eye-poppingly large, it’s often unclear what is being measured Amoroso spoke of cybercrime ‘profits’, while Detica describes ‘losses’

16 / 28

Notes Notes Notes Notes

Upon closer inspection, the Detica estimates don’t hold up

17 / 28

Upon closer inspection, the Detica estimates don’t hold up

IP theft (£9.2 Bn) and espionage (£7.6 Bn) account for 62%

• f the total loss estimate

Yet the methodology for computing these estimates appears to rely extensively on random guesses

IP theft: buried on p. 16 of the report, the authors admit “the proportion of IP actually stolen cannot at present be measured with any degree of confidence”, so they assign probabilities of loss and multiply by sectoral GDP Espionage: because “it is very hard to determine what proportion of industrial espionage is due to cybercrime”, the authors ascribe values to plausible targets and guess how often they might be pilfered

18 / 28

Why are poor cybercrime cost estimates dangerous?

19 / 28

Why are poor cybercrime cost estimates dangerous?

20 / 28

Notes Notes Notes Notes

But how can we do better?

It is one thing to point out flaws in others’ estimates, but it is quite another to produce a more reliable estimate of cybercrime losses The UK Ministry of Defence challenged us to produce a more accurate estimate Our attempt to do better was included in your reading for Tuesday

21 / 28

Decomposing the cost of cybercrime

Indirect losses Defense costs Direct losses Cost to society Criminal revenue Cybercrimes Supporting infrastructure

22 / 28

Decomposing the cost of cybercrime

Many cybercrime measurement efforts conflate different categories of costs, which renders figures incomparable We break up the cost of cybercrime into four categories

1

Criminal revenue: gross receipts from a crime

2

Direct losses: losses, damage, or other suffering felt by the victim as a consequence of a cybercrime

3

Indirect losses: losses and opportunity costs imposed on society by the fact that a certain cybercrime is carried out

4

Defense costs: cost of prevention efforts

We also distinguish between the primary costs of cybercrimes and the costs attributed to a common infrastructure used to perpetrate cybercrimes (e.g., botnets)

23 / 28

An example cost breakdown: phishing

Criminal revenue

sum of the money withdrawn from victim accounts revenue to spammer for sending phishing mails

Direct losses

criminal revenue time and effort to reset account credentials secondary costs of overdrawn accounts (deferred purchases) lost attention and bandwidth caused by spam messages

Indirect losses

loss of trust in online banking lost opportunity for banks to communicate via email efforts to clean-up PCs infected with malware

Defense costs

security products (spam filters, antivirus) services for consumers (training) & industry (‘take-down’) fraud detection, tracking, and recuperation efforts law enforcement

24 / 28

Notes Notes Notes Notes

Indirect and defense costs outweigh direct losses

Cybercrime cost category Estimate Direct losses – genuine cybercrime (e.g., phishing, advanced-fee fraud) $2–3Bn – online payment card fraud $4Bn Defense costs – cybercriminal infrastructure (e.g., antivirus) $15Bn – payment card and online banking security measures $4Bn Indirect costs – cybercriminal infrastructure (e.g., malware cleanup) $10Bn – loss of confidence in online transactions $30Bn

25 / 28

Factors affecting the likelihood of shopping online

Factors decreasing the likelihood of buying

• nline

Factors increasing the likelihood of buying

• nline

General concern: online payments security Confidence about own Internet skills Personal concern: e-commerce fraud Do online banking Experience: e-commerce fraud Higher education General concern: misuse of personal data Personal concern: phishing/fraud spam %-pts.

−5 −10 −15

%-pts.

5 10 15

26 / 28

Factors affecting the likelihood of banking online

Factors decreasing the likelihood of banking

• nline

Factors increasing the likelihood of banking

• nline

General concern: online payments security Confidence about own Internet skills General concern: misuse of personal data Nothing heard about cybercrime Experience: identity theft Do online shopping Experience: e-commerce fraud Higher education Personal concern: phishing/fraud spam Read about cybercrime

• n the Internet

%-pts.

−5 −10 −15

%-pts.

5 10 15

27 / 28

Concern about cybercrime inhibits more than experience

One important and unexpected result: concern about cybercrime inhibits online participation more than direct experience with cybercrime does. People may find the experience of cybercrime to be less painful than their worst fears Regardless of what drives the result, its implications are clear

Assuaging society’s concerns over cybercrime should be priority Awareness campaigns should focus on positive steps to take that improve cybersecurity, not “scaring people straight” by making cybercrime fears more salient

28 / 28

Notes Notes Notes Notes