Security Statistics

	Statistics
	Arrests & Convictions
	General InfoSec
	Security Spending
	Web Defacements
	Viruses
	Alarming News
	Reports and Papers
	Become a Stat!
	Search
	Home

	Awareness Tools
	Tools Main
	Password Strength Meter
	Dictionary-Based Hash Cracker
	Cisco Hash Decoder
	Generic Hash Calculator
	HTTP Basic Auth Decoder
	Searchable Port and Protocol Index

	About Us
	Company Info
	Advertising Info

	Other
	Links

Latest Computer Security News:
(Must Have JavaScript Enabled to view Latest Feeds)

Most Requested Statistics:

From SecurityStats.Com, 22 February 2004, see our General InfoSec section or Microsoft Technet

Across all products, Microsoft released 51 security advisories in 2003. That represents an average of nearly one new security patch per week.
30 of the MS Security Bulletins released in 2003 affected Microsoft's Windows XP Operating System.

From Message Labs, 17 January 2004, see our Virus Statistics section or http://www.messagelabs.com

Processing between 50,000 and 60,000 new copies per hour, "W32/Mydoom.A has exceeded the infamous SoBig.F virus in terms of copies intercepted, and the number continues to rise."
Message Labs collected over 1.2 Million copies of W32/Mydoom.A-mm
At its peak infection rate, about 1 in 12 emails on the Internet were MyDoom Viruses

From Trend Micro, 16 January 2004, see our Virus Statistics section or Computer World Article

It is estimated that PC Viruses cost businesses approximately $55 Billion in damages in 2003.
The same calculations in were done in 2002 and 2001, at $20-30 Billion and $13 Billion, respectively.

From TruSecure / ICSA Labs, 29 August 2003, see our Security Spending section
A recent survey including 882 respondents determined that the MS Blaster worm:

Remediation cost $475,000 per company (median average - including hard, soft and productivity costs) with larger node-count companies reporting losses up to $4,228,000
Entered company networks most often through infected laptops, then through VPNs, and finally through mis-configured firewalls or routers.

From Deloitte Touche Tohmatsu, 20 May 2003, see our Reports section or http://www.deloitte.com/dtt/cda/doc/content/Global%20Security%20Survey%202003.pdf
Key findings from the recently released 2003 Global Security Survey conducted by D&T, are:

"Respondents are worried about the increased sophistication of threats against their computer systems.
Respondents are recognizing the need for employee awareness and education.
Reporting relationships play a key role in the perception of the importance of the information security function.
IT security budgets appear to be a single digit percentage of the overall IT budget.
There is an absence of Key Performance Indicators (KPI) for Information Security functions.
Conventional wisdom for staffing is obsolete and a new model needs to take its place.
Fragmented security products contribute to the lack of unified security programs.
There is a lack of clarity on the impact of multiple governance initiatives on information security."

From Deloitte Touche Tohmatsu, 20 May 2003, see our Security Spending section or http://www.deloitte.com/dtt/cda/doc/content/Global%20Security%20Survey%202003.pdf

Financial services companies are spending approximately 6% of their IT budgets on information security
47% hired extra security staff compared with 2001.
Only 19% of respondents said they had reduced the number of IT security staff, despite the slowdown in the economy.

From CNN, 16 May 2003, see our News section or http://www.cnn.com/2003/TECH/internet/05/16/cybercrime.feds.ap/index.html

Federal officials have arrested 135 cyber criminals and have seized over $17 million in assets as a part of "Operation E-Con." Alleged crimes include setting up fraudulent bank web sites to steal account information from unsuspecting customers and taping and selling unreleased movies. Among the agencies who participated in the sting are the FBI, the US Postal Inspection Service, and the Federal Trade Commission.

From Internet Fraud Complaint Center (IFCC), 11 April 2003, see our Security Spending section or http://www1.ifccfbi.gov/strategy/2002_IFCCReport.pdf

Instances of Internet fraud increased drastically in 2002 as compared to 2001
Losses reported by victims totaled $54 million, versus $17 million the year before, and complaints referred to law enforcement totaled 48,252, compared to 16,755 in 2001
Auction fraud and non-delivery of merchandise were to top two reported crimes, with Credit and debit card fraud following them at 12%

From Security News Portal, 2 April 2003, see our Web Defacement section or http://www.securitynewsportal.com/cgi-bin/cgi-script/csNews/csNews.cgi?database=JanY.dbid=67

"75% of all web servers running MS IIS 5.0 are vulnerable to exploitation."
"Microsoft issued a security alert on March 17 2003 regarding a buffer overflow vulnerability which allows attackers to execute arbitrary code on Windows 2000 machines. [A recent Netcraft survey] found 767,721 IPs running IIS 5.0 and offering WebDAV and 273,496 IPs running IIS 5.0 with the protocol turned off."

From MSN, March 27 2003, see our Security Spending section or http://www.msnbc.com/news/891186.asp?cp1=1

"ID theft costs banks $1 billion a year. Nearly 10,000 victims had home loans - totaling about $300 million - taken out in their name in 2002 and another 68,000 had new credit cards issued in their name"
"While the FTC received 161,000 identity theft complaints last year, the FBI estimates the actual number of victims is probably closer to 500,000"

From Information Security Magazine, 1 March 2003, see our Security Spending section or http://www.infosecuritymag.com/2003/mar/cisosurvey.shtml

According to an Information Security survey of 518 senior security managers:

Just over half (53%) of those surveyed said their information security budgets would increase in 2003
16% said their budgets would increase by over 20%
30% said their budgets would remain flat in 2003
17% said their budgets would decrease

From NYT Magazine, 9 February 2003, see our General InfoSec section http://query.nytimes.com/gst/abstract.html?res=F20813FE3B5C0C7A8CDDAB0894DB404482

In December of 2002, one online SPAM prevention service measured upwards of 5,000,000 unique SPAM attacks - nearly 3 times more than what was measured in the same month in 1999.

From Joint CAIDA, ICSI, Silicon Defense, UC Berkeley, and UC San Diego, 1 February 2003, see our Virus Statistics section or http://www.caida.org/analysis/security/sapphire/

An analysis of the Sapphire/Slammer SQL worm shows:

"This worm required roughly 10 minutes to spread worldwide making it by far the fastest worm to date."
"In the early stages [the number of compromised hosts] was doubling in size every 8.5 seconds."
"At its peak, achieved approximately 3 minutes after it was released, Sapphire scanned the net at over 55 million IP addresses per second."
"It infected at least 75,000 victims and probably considerably more."

From ZDNet, 29 January 2003, see our General InfoSec section http://zdnet.com.com/2100-1105-982554.html

PSINet Europe purposely built an unprotected server and connected it to the Internet to determine how quickly it would be compromised. Their findings were astonishing:

The server was maliciously attacked 467 times in the first 24 hours
Most of the attacks originated in the US or Western Europe
After 3 weeks, a total of 626 attacks were detected against the server

From IDC, 18 July 2002, see our Security Spending section http://www.idc.com/getdoc.jhtml?containerId=pr2002_06_25_210953

The market for web intrusion protection services and products is expected to increase to nearly US $700,000,000 by 2006.

From Riptech, 8 July 2002, see our Reports section or http://www.riptech.com

Through the continual 24 x7 monitoring of hundreds of Fortune 1000 companies, Riptech has dicovered several extremely relevant trends in information security. Among them:

General Internet attack trends are showing a 64% annual rate of growth
The average company experienced 32 attacks per week over the past 6 months
Attacks during weekdays increased in the past 6 months.
High Tech, Financial Services, and Power and Energy industries continued to attacked more than other industry verticles
Riptech's clients appear to be getting better at stopping Internet attacks.
more

From UK Dept. of Trade and Industry, June 2002, see our see our Reports section or https://www.security-survey.gov.uk/View2002SurveyResults.htm

In their bi-annual report on information security breaches in the UK, Price Waterhouse Coopers and the UK DTI found some astonishing trends:

Average cost of a serious security incident was £30,000 (appr. US $50,000) and several of those surveyed had single incident costs which were greater than £500,000 (appr. US $825,000)
78% of companies surveyed had experienced at least one malicious security incident, with 44% experiencing them within the last year.
56% of those surveyed were not covered or by cyber insurance, or weren't sure if their current insurance policies covered cyber incidents
27% of companies surveyed have no contingency plans for IT breaches
Only 27% of surveyed UK companies have a documented security policy, however, that number is double what it was in 2000.

From CERT, 16 January 2002, see our General InfoSec section http://www.cert.org/stats/cert_stats.html

Computer security vulnerabilities more than doubled in the last year, with 1,090 separate holes reported in 2000, and 2,437 reported in 2001. Following the same trends, the number of reported incidents also drastically increased with 21,756 documented in 2000 and 52,658 in 2002.

From Computer Economics, 2 January 2002, see our Web Defacement section http://www.computereconomics.com/cei/press/pr92101.htm

It is estimated that the worldwide impact of malicious code was 13.2 Billion Dollars in the year 2001 alone, with the largest contributers being SirCam at $1.15 Billion, Code Red (all variants) at $2.62 Billion, and NIMDA at $635 Million.

From SANS, 3 October 2001, see our Web Defacement section http://www.incidents.org/react/nimda.pdf

86,000+ Internet hosts are thought to have been compromised and used to propagate the NIMDA worm, on September 18th. 37,318 (42.97%) of those hosts resided in the US.

From CAIDA, 25 July 2001, see our Web Defacement section http://www.caida.org/analysis/security/code-red/

After significant analysis, the Cooperative Association for Internet Data Analysis (CAIDA) found that the "Code Red" worm affected more than 359,000 servers in less than 14 hours. They also determined:

"At the peak of the infection frenzy, more than 2,000 new hosts were infected each minute."
"43% of all infected hosts were in the United States"
"11% originated in Korea"
"5% of [the infected hosts] were in China, and 4% in Taiwan"
A QuickTime animation of the geographic expansion of the worm was also made available.

From CERT, 20 July 2001, see our Web Defacement section http://www.cert.org/advisories/CA-2001-19.html and
http://www.cert.org/advisories/CA-2001-23.html

By exploiting a vulnerability in Microsoft's IIS web server product, over 250,000 web sites are thought to have been compromised by the "Code Red" worm, in the course of a 9 hour period.

From Attrition, 11 May 2001, see our Web Defacement section
http://attrition.org/security/commentary/worm01.html

8,836 servers are thought to have fallen prey to the " sadmind/IIS Worm ", between May 1st and May 8th, according to a list of IP addresses obtained by Attrition staff. The worm compromises Sun Solaris systems and then instructs those systems to deface 2000 Microsoft IIS systems using the IIS Unicode exploit. The defacement message used by the worm contains an inflammatory statement about the US Government, as well as a "calling card" in China.

From GCN, 28 April 2001, http://www.gcn.com/vol1_no1/daily-updates/4028-1.html

According to Major General Dave Bryan, there were 25,000 attempted intrusions into defense systems last year. Bryan stated that 245 of those attacks were successful, and also that officials found that 96% of the successful attacks could have been prevented if users had followed protocols.

From the AHA, 30 March 2001, http://www.aha.org/ar/Comment/PrivacyDetailB0330.asp

It is estimated that implementing IT and management solutions to ensure minimum compliance with HIPPA regulations could cost hospitals up to US $22.5 billion, over the next 5 years.

From C|Net, 22 March 2001, http://news.cnet.com/news/0-1005-200-5217277.html?tag=ch_mh

Conducting a recent "digital sleuthing" challenge has helped researchers to uncover costs associated with investigating attacks on systems. According to the C|net, article:

"It took the intruder less than a minute to break into the university's computer via the Internet, and he stayed less than a half an hour. Yet finding out what he did in that time took researchers, on average, more than 34 hours each."
"those 34 hours would cost a company about $2,000 if the investigation was handled internally and more than $22,000 if a consultant was called in."
"The contest also helps illuminate why securing a computer is more cost effective than hiring consultants to come in and do the detective work afterward, said Fred Cohen, director of the online investigations program for the University of New Haven, Conn."

Trends:

"CERT/CC Overview Incident and Vulnerability Trends" , May 15th, 2003

"Internet Security Threat Report vIII" , Symantec, Feb 2003

"CERT/CC Yearly Stats" , CERT/CC, Feb 2004

More...

Security Spending:

"Security breaches cause $15 billion in damages" , Datamonitor, Nov. 2000

More...

Defacements:

"8071 Web Sites Hacked - 56.67% ran Windows NT, 8.25% ran Solaris" , Attrition , Jan 2001

More...

Dont's: