Computer Crime: The Undetected Disaster
- Published on October 26, 2007
Traditionally, the time of criminal acts is measured in minutes, hours, days, weeks, months and years. Today some crimes are being perpetrated in less than .003 of a second (3 milliseconds). Thus, automated crime must be considered in terms of a new time scale because of the speed of the execution of instruction in computers. Also, geographic constraints do not inhibit perpetration of this new crime. A telephone with a computer terminal attached to it in one part of the world could be used to engage in a crime in an on-line computer system in any other part of the world.
The availability of low cost, high capacity hard disks and micro-to-mainframe communications software has greatly increased the power of those with criminal intent. For example, a high-tech criminal could copy an organization’s data programs and files onto a hard disk, modify them, and transmit them back to the main computer system.
The use of microcomputers in stand-alone applications such as electronic spreadsheets, word processing, and graphics has the lowest risk of fraud; using the microcomputer in terminal emulation mode to an on-line computer system has the highest degree of risk.
Compromising the computer system can occur from either or both of the following:
- An outside intruder through the use of a public telephone network connected to the computer
- An employee or unauthorized person within the organization using a terminal or microcomputer
Sophisticated, technical computer skills are no longer needed to perpetrate electronic crimes. Most students receive computer training at an early age and personal computers are used in most businesses.
Hackers have already proven that they can design programs which, when used with auto-dial modems, will continuously try thousands of random combinations of a password scheme in an attempt to illegally log into a computer system. Because outside electronic penetration depends on the use of telephone lines with dial-up capability, many smaller businesses that do not have communication lines connected to the computer are not at risk from hackers. However, small businesses are certainly not immune to fraud. Penetration from within is the most likely means of gaining access to sensitive computer data. The vast majority of white collar computer theft is carried out by trusted employees.
Most experts believe that computer crime is significantly increasing. Some estimates indicate the increase of computer crime at 35 percent annually and the cost at $3.5 billion. A major reason for this increase could be that the average computer crime yields an estimated $560,000 compared to the typical bank robbery of $19,000. The computer criminal is less likely to be caught than the bank robber and less likely to be convicted. Estimates of detected computer crime are as low as one percent, and the likelihood of a criminal conviction for computer fraud is less than one in ten.
A major contributor to computer-related losses is the lack of security awareness. Security awareness can reduce accidents and errors, promote adequate information security controls, and prevent and detect computer crime.
People commit computer crime for the following reasons:
- personal or financial gain
- personal favor
- challenge of beating the system
RISK ASSESSMENT FOR COMPUTER CRIME DISASTERS
Risk assessment for computer crime disasters is the process of identifying and quantifying risk exposure to enable a cost-effective strategy for risk control. Risk assessment should include the following considerations:
- identifying risk threats
- evaluating risk exposures
- determining risk reduction alternatives
- comparing the liability of exposure to the cost of risk reduction alternatives
- implementing and monitoring the selected risk reduction techniques
Control techniques and protective features can be costly and require supporting resources. Therefore, it is important to balance the cost of specific control techniques against the consequence and impact of the risk. The selection of the most appropriate control alternatives should be based on the liability of exposure.
The term internal controls (italicize) refers to all the measures adopted within an organization to safeguard assets, ensure accuracy and reliability of records, and encourage operational efficiency and adherence to prescribed procedures. The system of internal controls also includes the measures adopted to safeguard the computer system.
The nature of internal controls is such that certain control procedures are necessary for a proper execution of other control procedures. This interdependence of control procedures may be significant because certain control objectives which otherwise appear to have been achieved may, in fact, not be achieved because of weaknesses in other control procedures upon which the procedures are dependent.
In a computerized system, concern over this interdependence of control procedures may be greater than a manual system because there is often a greater concentration of functions within computer operations, and certain manual control procedures may be dependent on many automated control procedures even though that dependency is not readily apparent.
The best protection from computer crime disasters is to establish and maintain proper computer controls. There are two types of computer control techniques:
1) general computer controls that affect all computer systems; and
2) application computer controls that are unique to specific computer application systems.
GENERAL COMPUTER CONTROLS
Organization and Operation Controls
The effectiveness of many internal control procedures is dependent upon the activities of responsible personnel. For this reason, a well-planned and properly functioning organization is an important factor in any system of internal control. An effective plan of organization should provide for segregation of functions and responsibilities so that no one person has incompatible duties which would permit the perpetration and concealment of material errors or irregularities.
Specifically, an organization should strive to separate the incompatible functions of asset control, authorization of transactions, data entry and verification of output. For example, the computer operator should certainly not have access to liquid assets or be solely responsible for preparing journal entries and balancing the general ledger. A combination of these duties would provide the operator with the opportunity to perpetrate and conceal fraudulent actions.
Documentation and Systems Controls
These controls specifically cover three areas:
- review, testing and approval of new systems
- control of program changes to existing systems
- documentation procedures
Documentation and system controls are designed to ensure that effective controls are included in all systems and to maintain the integrity of programs. Documentation is useful and important to management in understanding a computer application. Poor documentation can cause processing problems, especially if employee turnover occurs.
Most computer systems have the ability to detect and record a hardware failure. However, some application systems are not designed to take advantage of available controls. For example, if a disk drive fails when reading a record, an indicator is turned on within the hardware. However, unless the indicator is checked by the programs which read the file, the system would not know that the disk failed.
Some types of failures will cause the device or system to halt. This type of control provides positive indication of a hardware malfunction. Failure to use available hardware controls could result in significant processing errors. If undetected, a number of minor errors can have a cumulative effect that might lead to a major system failure.
Access controls provide safeguards for computer resources to ensure that they are properly used. A weakness in or lack of access controls may affect the reliance placed on the results produced by computer processing, in that the integrity of the system may be breached.
Proper access controls will assist in the prevention or detection of deliberate or accidental errors caused by improper use or manipulation of data files, unauthorized or incorrect use of a computer program and improper use of computer resources.
Data and Procedural Controls
Data and procedural controls provide a framework for controlling daily operations and establish safeguards against processing errors. There should be procedures to permit reconstruction of all significant files if an error occurs during processing or if a file is accidentally destroyed. In addition, there should be written policies and procedures for backup and retention of important magnetic files to assure accurate and timely file reconstruction. Data files should be subject to a minimum of three generations of backup.
Physical security for computer processing is very important. These controls can improve segregation of custody assets, prevent accidental or intentional destruction of data, provide for the replacement of records that may be destroyed and ensure the continuity of operations following a major hardware or software failure or natural disaster. Current duplicate copies of the operating system, programs, master and interim transaction files, program documentation, operating instructions and other critical documentation should be maintained off premises.
Input controls are designed to provide reasonable assurance that data received for processing has been properly authorized, converted into machine-sensible form and verified, and that data (including data transmitted over communication lines) has not been lost, suppressed, added, duplicated or otherwise improperly changed. Input controls include controls that relate to rejection, correction and resubmission of data that were initially incorrect. There are four basic categories of input that must be controlled:
- Transaction Entry: Because transaction entry normally represents the largest volume of activity, it usually accounts for the greatest number of errors. Edit routines should be used to detect input errors or exceptions.
- File Maintenance Transaction: File maintenance (updating) often involves a limited volume of data, originates form restricted sources and has a relatively long-term impact on the fields or files that are updated. Errors in the maintenance of master files can have a continuing impact on transactions.
- Inquiry Transactions: These transactions do not change the file that is referenced, but may cause decisions which result in other transactions or inputs.
- Error Correction Transaction: Error correction can be a very complex procedure. It could involve reversal, adjustment of the original transactions, re-entry of the original transactions or some combination of these entries. Error correction is usually more complex than the original transaction entry and offers a greater opportunity to create additional errors.
Processing controls should be designed to provide reasonable assurance that computer processing has been performed as intended for the application; i.e., that all transactions are processed as authorized, that no authorized transactions are omitted and that no unauthorized transactions are added. Such controls are designed to prevent or detect the following types of errors:
- failure to process all input transactions, or erroneously processing the same input more than once
- processing and updating of the wrong file or files
- processing of illogical or unreasonable input
- loss or distortion of data during processing
Output controls are designed to assure the accuracy of the processing result (such as account listings, reports or disbursement checks) and to assure that only authorized personnel receive the output. Output controls should ensure that all input is processed, that processing is accurate and that output is distributed to authorized personnel or groups.
PART I CONCLUSION
Computer systems that are not adequately controlled can increase exposure to computer crime disasters. Proper internal controls are important crime protection techniques. However, the cost of a particular internal control procedure should be carefully compared to the potential benefit received. Compensating manual controls can usually be established when a specific control is not cost-justified. In addition, it is important to establish and maintain an adequate mix of preventive, detective and corrective control techniques.
The second part of this article will deal with access security and prevention as they relate to disaster recovery planning.
Computer security is an increasing concern because computer processing can circumvent traditional control techniques. Particular security concerns result from the proliferation of microcomputers, local area networking, and on-line systems that allow more access to the mainframe computer. Modern technology provides computer thieves with powerful new electronic safe-cracking tools.
Access Security Systems
The most widely used computer access security and control technique involves the use of confidential character strings known as passwords, user-IDs and security codes. These terms are used interchangeably by most people. A password can be defined as any character string intended to remain confidential and used to control access by individuals to computer resources including data, equipment, and software. A special type of password is the personal identification number (PIN) that uses a combination of a numeric character string and a magnetically encoded card to control access.
Passwords can be a pervasive aspect of computer security. Although password security may be the best alternative available today, it can be the weakest link in maintaining system integrity. These are some of the problems you may encounter with traditional passwords:
- misused or mismanaged by individuals
- observed in use
- tapped from nonsecure lines
- simulated by another computer
- traded or loaned
The effectiveness of using passwords to restrict and control access is based on limiting knowledge of the password to an individual user. Maintaining the confidentiality of passwords is dependent on the difficulty involved in decoding it, and the ability of the suer to remember the password without using a written source. This creates a dichotomy because long, randomly generated passwords are the most difficult to compromise, but are more likely to be written. Conversely, short passwords can be more easily memorized, but are also easier to decode or guess.
The number of possible random combinations for various lengths of passwords are listed below. Usually the letters I and O are excluded to avoid confusion with the numbers 1 and 0. This leaves 24 available letters and 10 numbers.
Password Length and
Number of Combinations
Passwords can be selected, issued and maintained by the following sources: user, central administrative function, and computer.
User Selected Passwords
The advantage of user selected passwords is that only the user and the computer know the proper control string. If the user never discloses the password, its confidentiality will be maintained. The disadvantages of user selected passwords are the potential lack of randomness, possible infrequency of change, and permanent loss of the password if the user forgets.
It is a human tendency to choose a password that is meaningful to the individual. Therefore, user selected passwords may be closely associated with the individual such as name, spouse, dog, child, address, telephone number, birth date, car license and other easily remembered possibilities. However, this increases the chance of discovery by someone who knows the individual, as opposed to a stranger. The resulting lack of randomness can undermine password security.
The frequency of password change impacts confidentiality. The chance of disclosure increases over time. Passwords can become common knowledge in the workplace if not frequently changed.
Forgotten passwords create special problems, especially for occasional users. Re-establishing access security can be a lengthy procedure during which needed information may not be available to the user.
Central Administrative Function
A central administrative function can generate passwords on a random basis, ensure frequency of change, and retrieve forgotten passwords. The inherent disadvantage is the lack of confidentiality because both the administrator and user know the password. An additional concern is that the password must be communicated between them.
Computer Generated Passwords
The computer can generate random passwords and enforce change procedures. An administrative function is required for adding new passwords and re-establishing access when passwords are forgotten.
No system of password generation can provide absolute security, and password systems alone do not provide complete security. They are only one aspect of overall security and control.
Password security is especially vulnerable during password distribution. Users must be informed that they are authorized to use the system and must have a means of obtaining their password. It can be difficult to ensure that the recipient of the password is the same person who is authorized for access. Techniques for securing password distribution include the following:
- Direct contact--This method can be effective, but it maybe extremely time-intensive in large organizations for face-to-face contact with each user. Geographically disbursed locations create additional difficulties.
- Telephone contact--This method is widely used and relatively inexpensive. However, there are several opportunities for disclosure in using the telephone.
- Manager distribution--Many organizations use known and trusted managers in the distribution process. This method eliminates the need to contact users directly and establishes management accountability. Sealed envelopes containing individual passwords are sent to the appropriate manager. The disadvantage with this approach is that it relies on trust and increases the number of people involved in the security process.
- Self-mailing envelopes--This method sends the password, receipt and return envelope to the appropriate individual. The signed returned receipt is the confirmation that the user received the password. The major disadvantage with this approach is that disclosure is possible if the mail is not strictly controlled.
Password Security and Control Techniques
The level and degree of protection provided by a password security system varies significantly between organizations and computer systems. If a password is compromised, a perpetrator can impersonate the user and perform specific functions that have originally been intended only for the authorized user. A good password security system should do the following:
1. Allow the organization to specify whether password changes will be controlled by the Security Administrator or the user at the time of installation.
2. Provide password security by user, application, function within application and transaction within the application.
3. Store and report the date of last password change for each user.
4. Automatically generate passwords upon user request.
5. Prevent the user or Security Officer from changing the present password to a prior password
6. Mask (hide) passwords during entry
7. Direct the user to a default menu after proper sign-on if no menu is specified
8. Restrict the ability to enter certain transactions by terminal (i.e., allow only certain terminals to input financial transactions).
9. Monitor unused or inactive passwords.
10. Monitor passwords with excessive usage.
11. Produce a terminal activity report, indicating the sign-on/off times, system accessed and functions performed for each terminal user.
12. Produce a security violations report that shows all unauthorized attempts to access the system.
13. Randomly generate passwords.
14. Encrypt passwords
15. Establish password levels based on file, program, menu and library.
16. Automatically log-off terminals after a pre-determined number of invalid access attempts.
17. Automatically log-off users when their terminals remain inactive for a specified time. This control method reduces the risk associated with unattended terminals.
18. Inform the user after each log on of the last successful access by the user and any unsuccessful intervening attempts. Users can then report any suspicious events.
19. Arrange the terminal to inhibit an observer from viewing the keystrokes of the operator during the log on process.
20. Limit the number of terminals that a user can concurrently be logged on a system. Usually, a user should be logged on only one terminal at a given time.
21. Limit the amount of time allowed for log on by user.
22. Require a minimum of six character passwords. Passwords must be long enough to resist exhaustive searches of all combinations.
23. Automatically notify and require users to change password after a predetermined period of time.
24. Maintain an audit trail of all password changes.
25. Restrict access to specific functions by terminal, time of and, and day of week.
26. Prohibit printing of passwords.
27. Establish a maximum number of attempts for successful log on. Errors can occur, so users should be allowed more than one attempt to correctly enter a password. However, a maximum number of attempts should be established to prevent automated attacks on the system and random guessing. Terminals or communication ports should be disabled after the maximum allowed attempts have been exceeded.
28. Provide alarm system for users under duress.
29. Provide a time and date stamp for all access attempts.
30. Generate an audit trail of all access attempts.
31. Require multiple levels of passwords to access extremely sensitive information. Multiple levels of software security can provide greater protection than a single level that an unauthorized user might be able to circumvent. Multilevel password schemes normally do not delay a legitimate user; however, they can significantly improve protection from intrusion.
32. Restrict the use of programmable function keys (PF keys) or terminal function keys (F keys) in log on procedures. The use of programmable keys to automatically perform log on procedures can violate password protection and system integrity.
Part II Summary
The nature of computer crime is such that an organization without adequate security and control could experience substantial losses that remain undetected for a long time. Thinking that it can only happen to others can increase risk and potentially weaken existing security and control precautions such as passwords. Maintaining the integrity of the password control system is the responsibility of management, users and computer technical personnel.
The third part of this article will describe techniques for preventing and detecting computer viruses.
Many reports have been published about computer viruses. A virus is a name for a class of programs that infect a computer system and, after a period of incubation and reproduction, activate and demonstrate their presence. The name virus is used because many of the characteristics of these programs are similar to the behavior of disease viruses. In medicine, a virus is a disease-spreading infection that enters cells and attaches itself to the cell so that the virus multiplies when the cell multiplies. The presence of certain conditions will allow the viruses to become active and potentially destroy the infected organism.
Computer viruses are computer programs that also have the capability to attach themselves to other programs, reproduce and, under certain circumstances, can damage computer systems, data and programs. A virus can be benign and cause no harm. However, many viruses are destructive in nature. A virus may also be dormant for a period of time until it becomes activated.
Although virus software can be extremely brief, it has a unique appending characteristic that allows the virus software to modify other programs with which it comes in contact. In some cases, the virus software, in the process, may modify itself according to the characteristics of the program to which the virus is appended. An infected program can evolve and become another virus and can spread the evolved virus to other systems.
In the published accounts of virus cases, the attacks seem to have had two general effects:
- The virus deletes files, perhaps through a disk format command.
- The virus software overloads a network by causing an explosion in the number of messages generates, usually directing a message to be sent to every address receiving any other (appended) message.
Specific problems created by viruses include:
- Filling disk or memory with nonusable information (i.e. garbage).
- Altering files
- Changing the File Allocation Table (FAT) so that files cannot be located.
- Altering the boot sector so the computer does not run.
- Initializing or formatting the disk so that all information is destroyed.
- Changing the keystroke definition table.
- Locking the keyboard.
- Altering programs or files.
- Printing or displaying inappropriate messages.
- Slowing program execution time.
Virus programs have many potential forms and the danger can occur at the time of infection or later, depending on the design of the virus and the characteristics of the infected program. Viruses can attach themselves to both programs and data files. The infected software can propagate through a system rapidly. Each virus carries the infection capability and can independently expand the infection.
The activities of a virus may be triggered when the infected program is executed. The virus may check for specific conditions during program execution before performing its intended function, such as time or date. If the condition is not satisfied, the virus may replicate and remain dormant until the next time the infected program is executed.
Computer connectivity and communications is a major reason that viruses are becoming a serious threat. Connectivity and communications allow computer systems to contact many other computer systems. Therefore, the number of possible points of attack is greatly expanded. In addition, the number of computers and people affected also dramatically increases. Viruses can be transmitted inadvertently by people with legitimate access to computer systems. Connectivity allows many users to share data, programs and computers. Unfortunately, it also allows vandals to attack these users with the same computer virus program.
Viruses can also spread through groups of systems that can communicate with each other such as LANs - Local Area Networks and WANs - Wide Area Networks. With proper network techniques, even computers with different operating systems can transfer data and programs, including viruses.
Mainframe computers and minicomputers may be less vulnerable to viruses than microcomputers because:
- Larger computers have more complex operating systems.
- Larger computers have more built-in security. Many microcomputer operating systems were designed for single users and originally had no security built-in.
- Larger computer installations have computer professionals that may be more aware of security concerns. Viruses tend to be noticed more quickly in such an environment, whereas they may be unnoticed for a long time in some microcomputer environments.
- The implementation of larger systems are more unique so that viruses that attack one system cannot successfully attack another.
Potential warning signals of a virus attack include:
- Available RAM decreases without loading a program into memory.
- The disk drive light is unexpectedly illuminated.
- The system slows down dramatically.
- Existing programs suddenly display an unusual error message
- DOS displays unexpected error messages, especially INVALID DRIVE SPECIFICATION.
- File sizes change without reason.
- The number of files changes.
- Directory updates are noticeably longer.
- The keyboard keys suddenly do odd things.
- The system freezes up or crashes.
To assess the threat of viruses, organizations should evaluate their exposure to viral contact. Relatively low risk characteristics include:
- Using stand alone microcomputers.
- Purchasing commercial software from reputable distributors.
- Abstaining from exchanging programs with other computer users (either physically or electronically).
However, connecting computers with networks and using copies of programs from unreliable sources such as bulletin board systems will increase the risk of viral contact and the spread of diseased software within the organization. In addition, the risk of viral sabotage by disgruntled employees is a continuing risk factor.
For organizations that rely on the integrity of their data for daily operations, or where that data is irreplaceable, virus protection techniques may be necessary even if the probability of virus contact is low.
Business networks may be less vulnerable to viral attacks than university and research networks because the user community is usually smaller and more identifiable than that of research networks. In addition, private business networks may have a higher priority on security than the open research networks.
Factors related to high risk in networks include:
- UNIX of PC-DOS based operating systems.
- Poor administration.
- Unrestricted dial-up access.
- Homogeneous hardware and operating systems.
- Limited password control.
- Open networks that allow any university or research facility to be connected.
Freeware and shareware are especially high risk. Freeware refers to programs that are in the public domain, available from a network to download at no cost. If there is a charge or registration fee, it is termed shareware.
Disk and diskette compression utilities are also high exposure areas for viral contact. If the compression program is infected, it can further infect all programs compressed or expanded.
Pirated copies of software also have a high risk because the original source of the piracy may be unknown. In addition, it is a violation of copyright laws and licenses.
Harmful virus software introduced into a large network and communications system could cause significant damage. Therefore, it is prudent to implement methods and procedures to minimize the risk of a virus attack.
Short of completely isolating a computer, there is currently no known method of completely eliminating the risk of viral penetration. However, the following control techniques can help prevent and detect viruses.
1. Backup important data files and programs on a routine basis.
2. Use several generations of backup.