InternationalTelecommunicationUnion

Financial Aspects of Network Financial Aspects of Network Security: Malware and SpamSecurity: Malware and Spam

ITU-T Study Group 3Geneva, Switzerland

2 April 2008

Johannes M. Bauer*, Michel van Eeten**, Tithi Chattopadhyay*

Please send comments to:ITU-D ICT Applications and Cybersecurity Division

<cybmail@itu.int>

* Michigan State University, USA, ** Delft University of Technology, Netherlands

The views expressed in this presentation are those of the author and do not necessarily reflect the opinions of the ITU or its Membership.

2April 2008

Objectives of report

Malware and spam have far-reaching, direct and indirect, financial effects

Costs for individuals, organizations, nationsRevenues for legal but also illegal playersDirect costs probably 0.2-0.4% of global GDPIncluding indirect effects could be as high as 0.5-1% of global GDP

Available information is incomplete and potentially biased by stakeholder interestsThe report aims at documenting the state of knowledge of these financial aspects

3April 2008

Overview

Malware and spam developmentsA framework for analyzing financial flows related to malware/spamMain empirical findingsA preliminary welfare assessmentAppendix: the malware/spam underground economy

4April 2008

Malware and spam developments

5April 2008

Background

Payoffs of fraudulent and criminal activity are high and have brought organized crime to malware and spamDivision of labor and specialization has increased sophistication and virulence of threats from fraudsters and criminalsSecurity decisions of some players within the ICT value net do not fully reflect social costs and benefits and only sub-optimally mitigate external threats

6April 2008

Division of labor

Source: MessageLabs, 2007

Malware Writer

Guarantee Service

Spammers

Credit Card

Abuser

Malware Distributor

Reseller

IdentityCollector

eShops

Drop Site Developers

Drop Drop Drop

Uses Services

Seller MalwareSells credit cards with identities

Buys Goods

Uses Services

Forward Goods

Ships Goods

Uses Services

Sells IdentitiesUses Services

Sells Malware

Sells Malware

Buys Drop Site Template

Drop Service

BotnetOwner

7April 2008

Visibility vs. malicious intent

Source: www.govcert.nlTime

8April 2008

Malware attack trendsOverall increasesMonthly growth

Trojans, rootkits slowing toward end of 2007Worms, viruses, AdWareand other accelerating

As of 3/2008 (Panda)30% of computers on Internet infectedAbout 50% active

Postini reports 10% of websites as infected

0

50000

100000

150000

200000

250000

Troj

War

e

VirW

are

Mal

War

e

AdW

are

Ris

kWar

e

2006 2007

Source: Kaspersky Labs, 2008

9April 2008

Spam trends

1210 1221 1178 1230

268 267204

189

0

200

400

600

800

1000

1200

1400

1600

Q3-06 Q4-06 Q1-07 Q2-07

Abusive Unaltered

Different metrics“Abusive” messages (MAAWG)MessageLabs new and old spamSymantecFairly consistent numbers (85-90% of total messages)Spamhaus Project (IP addresses)Source: MAAWG 2007

10April 2008

Geography of spam

Source: Symantec, 2007, 2008

0

5

10

15

20

25

30

35

40

45

50

afric

a

asia

aust

ralia

/oce

ania

euro

pe

north

am

eric

a

sout

h am

eric

a

% Internet mail % Internet spam

2007

0

10

20

30

40

50

60

afric

a

asia

aust

ralia

/oce

ania

euro

pe

north

am

eric

a

sout

h am

eric

a

% Internet mail % Internet spam

2006

11April 2008

Financial aspects of malware and spam

12April 2008

Hardware, Software

Securityservice

providers

Fraudsters,Criminals

ISPs

Individualusers

Businessusers

12

13

5

3

8 9

4

10

1211

67

GovernmentSociety at large

Selected financial flows

Legal

Potentially illegal

13April 2008

Direct and indirect cost

Direct cost such aslosses from fraudulent and criminal activitycost of preventative measures (e.g., security software and hardware, personnel training)cost of infrastructure adaptation (network capacity, routers, filters, …)

Indirect cost such ascost of service outagescost of law enforcementopportunity cost to society (lack of trust)

14April 2008

Legal and illegal revenues

Legal business activitiesSecurity software and servicesInfrastructure equipment and bandwidth

Illegal business activitiesWriting of malicious codeRenting of botnetsProfits from pump and dump stock schemesCommission on spam-induced salesMoney laundering (illegally acquired goods)

15April 2008

Main empirical findings

16April 2008

Cost of malware

Worldwide direct damage in 2006: $13.2 bn (Computer Economics survey of 52 IT professionals)

Decline from $17.5 bn in 2004Effects of anti-malware efforts and shift from direct to indirect costs

U.S. Federal Bureau of Investigation estimated cost of computer crime to U.S. economy in 2005 to $67.2 bnNo estimates of indirect and of opportunity costs available

17April 2008

Direct losses to U.S. business

Surveys of Computer Security Institute (CSI) members since 1996In 2007, 494 respondents of which 194 provided damage estimatesLeading categories:

financial frauddamage by viruses, worms, spywareSystem intrusion

Incomplete pictureSource: CSI, 2007

0

500

1000

1500

2000

2500

3000

3500

1999 2000 2001 2002 2003 2004 2005 2006 2007

Average cost per reporting firm (in 000 $)

18April 2008

Cost of preventative measures

Percentage of IT budget spent on security (2007 CSI Report)

35% of respondents: <3% of IT budget26% or respondents: 3-5% of IT budget 27% of respondents: >5% of IT budget

2006 global revenue of security providers estimated to $7.5 bn (Gartner 2007)TU Delft/Quello Center study: 6-10% of IT budget dedicated to security

19April 2008

Cost of spamGlobal cost of spam in 2007: $100 bn, of which US$ 35 U.S. (Ferris Research)

Cost of spam management to U.S. businesses in 2007: $71 bn (Nucleus Research)

Cost of click fraud in 2007: $1 bn (Click Forensics)

Cost to U.S. consumers in 2007: $7.1 bn (Consumer Reports)

20April 2008

A preliminary welfare assessment

21April 2008

Determining welfare effects

Complicated by the legal and illegal revenues associated with cybercrimeCosts of malware and spam

Direct costs (damages, prevention, …)Indirect costs (law enforcement, trust, …)

Economic “bads” (e.g., part of security investment), not welfare-enhancingTreatment of illegal transactions (estimated to total $105 bn)?

22April 2008

Scaling overall effects

Costs of malware and spamMost reliable information at country level; how to scale to global level/Avoidance of double-countingGlobal direct costs probably in 0.2-0.4% range of global GDP ($66 tr)Direct and indirect costs could be as high as 0.5-1% of global GDP

Probably differential effects on national productivity and growth

23April 2008

AppendixThe malware/spam

underground economy

24April 2008

Malware/spam

Players in the underground economy includeMalware writers and distributors (trojans, spyware, keyloggers, adware, riskware, …)Spammers, botnet owners, dropsVarious middlemen

Emergence of institutional arrangements to enhance “trust” (e.g., SLAs, warranties)Steady stream of new attacks (e.g., drive-by pharming, targeted spam, MP3 spam, …)

25April 2008

Interdependent value net

ISPi

ISPj ISPk

Usersi

Usersj

Usersk

App/Si

App/Sj

Hardware vendors

Software vendors

Security providers

GovernanceApp/Sk

Frau

dule

nt a

nd c

rimin

al a

ctiv

ityFraudulent and crim

inal activity

26April 2008

Efficient & inefficient decisions

Instances where incentives of players are well aligned to optimize costs to society

ISPs correct security problems caused by end users as well as some generated by other ISPsFinancial service providers correct security problems of end users and software vendorsNegative reputation effects of poor security disciplines software vendors, ISPs, and other stakeholders

Instances where incentives are poorly alignedIndividual users (lack of information, skills, …)Domain name governance/administration system

27April 2008

More Information: ITU Development Sector

ITU-D ICT Applications and Cybersecurity Divisionwww.itu.int/itu-d/cyb/

ITU-D Cybersecurity Activitieswww.itu.int/itu-d/cyb/cybersecurity/

Study Group Q.22/1: Report On Best Practices For A National Approach To Cybersecurity: A Management Framework For OrganizingNational Cybersecurity Efforts

www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-draft-cybersecurity-framework.pdf

National Cybersecurity/CIIP Self-Assessment Toolkitwww.itu.int/ITU-D/cyb/cybersecurity/projects/readiness.html

ITU-D Cybersecurity Work Programme to Assist Developing Countries:• www.itu.int/ITU-D/cyb/cybersecurity/docs/itu-cybersecurity-work-

programme-developing-countries.pdfRegional Cybersecurity Forums

www.itu.int/ITU-D/cyb/events/Botnet Mitigation Toolkit

http://www.itu.int/ITU-D/cyb/cybersecurity/projects/botnet.html

28April 2008

More Information: ITU Standardization Sector

ITU-T Study Group 17 – Lead Study Group on Telecommunication Security

www.itu.int/ITU-T/studygroups/com17/index.asp

Question 17/17 - Countering spam by technical means

www.itu.int/ITU-T/studygroups/com17/sg17-q17.html

Recommendations for approval on 18 April 2008:• X.1231 - Technical strategies on countering spam • X.1240 - Technologies involved in countering email spam • X.1241 - Technical framework for countering email spam

29April 2008

International Telecommunication

Union

Helping the World Communicate