- Email: [email protected]
How to protect ourselves from information
Computer Fraud & Security Bulletin
April 1995
acts as a simple high speed and powerful calculating machine. Therefore, with automation, such administrative work as iterative could be carried out achieving the primary objectives, that is, do the same work with speed, precision and security. It seems clear in this light, that simple informative systems do not differ from traditional systems if not by major speed in executing operations and a higher grade of precision.
Let us keep in our minds eye the hacker composite, the Omega player, when reviewing our systemic-holistic security models. Let us add it to our toolkit, so that we can deal with the full security picture, psychological and technical. References B. and Mungo, P., 1992. Approaching Zero Data Crime and the Computer Underworld, Faber & Clough, Faber. Hafner, K. and Markoff, J., 1993. Cyberpunk Outlaws and Hackers on the Computer Frontier, Corgi. B., 1992. The Hacker Crackdown Law and Disorder on the Electronic Frontier, Penguin.
Sterling,
D., 1994. Cyberia Life in the Trenches of Hyperspace, Flamingo. Rushkoff,
Yngstrom, Y., 1992. Towards a Systemic-Holistic Approach to Academic Programs in the Area of IT Security. Dept. of Computer & Systems Sciences, Stockholm University.
HOW TO PROTECT OURSELVES FROM INFORMATION Silvano Ongetta
analyse, even in a summary way, the stages of its evolution, we realise that the role of the informative system in company organization and management has deeply influenced the possibilities of computer application. This, intended as data collection, processing and distribution at points of decision responsible for company life is, in fact, the fundamental resource of the management system, or rather, the ways and means by which a company runs its own business. If we
Simple informative systems In informative systems defined as simple, diverse procedures are mechanized, each independent from the other and the computer
01995
Elsevier Science Ltd
This is also demonstrated by the kind of procedures these systems deal with. They are practically the same as those which in the past were carried out mechanically and even before that manually: salaries, general accounts, current accounts, savings accounts and other similar types. In these informative systems the existing interactions between different elements of the company system were not considered. Later on, faced with the company’s changing and growing needs and the extension of automation to the whole sphere in such a way as to attain an organic, coordinated and well-structured EDP system. Integrated informative systems This tendency has brought about the introduction of integrated informative systems, of which the computer acts as the centre of information processing and sorting, providing likewise elements of decision to the different levels of company organization. The concept of integration is strictly connected to that of the distributive informative system. The latter is based on the development of mini or micro computers at high speed and low cost, able to deal with ‘local’ company operations and more suitable for the geographical decentralization of the organizational structure and business. In this context, importance is gained by the concepts of: l
Inflow from remote points-corresponding to the decentralized positions on which the terminals are situated.
13
Computer Fraud & Security Bulletin
l
l
April 1995
Integrated processing - by which a single piece of information is incorporated and treated in a single sequence by all the systems related to it.
With these systems every application can be converted into informative output each of which, in terms of global utility, is much superior to the advantages that processing offers in the single specific procedure field.
Database - In which the information is accumulated and arranged in a single file to which all the operative programs necessitating access can do so independently, avoiding abundance and inconsistency of disjointed files for separate systems.
Decisional informative systems are formulated precisely to help the management take decisions rationally and not only know certain trends in the management through the process of picking out data. However, they are characterized by a coordinated data flow towards a single processing terminal with the prospective of their use for decisional purposes.
In this way, the diverse procedures appear integrated with each other, ascertaining a more or less complex structure that is capable of connecting the various parts or elements of the company, considering the existing interactions between them. Moreover, areas of risk connected to an informative system of this sort are foreseen: the integration of the application system and the abolition of manual controls of the processing sequence allow for wrongly ascribed data which is not identified ‘at the top’ to be reflected on all files at the same time and the correction of which calls for complicated manual procedures of extraction or transfer of the deviation.
The before mentioned capacity of decisional informative systems to treat the company as a whole, if on the one hand allows general accounts to assume very particular characteristics (that is kept in a ‘synthetic’ way since large amounts of summarized homogeneous operations take place instead of single operations) on the other hand the same data permits refined utilization by means of suitable programs that satisfy the most varied needs of cognitive, decisional and provisional order. After all, apart from these certainly positive characteristics, it must be pointed out that integrated-decisional information theory can also potentially damage the reliability of data.
Decisional informative systems The next step in the integrated informative system is decisional, which defines any kind of integrated system able to process information to be utilized for decisional purposes. At this point, it is necessary to make clear that every step of data processing contains elements useful to decisional purposes. After all, even the traditional procedure of accounting performs this scope. Nether the less, even if in every era and in every moment of the process of economical-social development information has set up the necessary support for taking decisions, only with the employment of the computer has the use of information for decisional purposes been raised to the rank of system.
14
The problems Two new problems must be taken into consideration: firstly, an internal control, directed at preventing the verification of interior deviation to the detriment of the firm and secondly, an external control, with the objective if safeguarding third party rights. Unfortunately, these internal and external needs are too precariously satisfied by the managing of informationalized data and pose further problems as far as filing is concerned because the new means do not offer the same guarantee as ‘paper’ being exposed to risks (not always adequately valued) of alteration and cancellation, either accidentally or voluntary.
01995 Elsevier Science Ltd
April 1995
Besides, automized data treatment tends to suppress the intermediate results, making difficult the relevant control of the bond which must exist between corroborative documents and recapitulation situations. The information systems borne by the computer are not consequently limited to introducing a new operational logic to the company but oblige who works there to think in a new and different way, coherent with the technological developments brought about. But, in my opinion, the most critical aspect of decisional informative systems consists in the necessity to display an enormous quantity of data related to different and continuously renewed and kept up-to-date to allow the system to adapt to the changing environmental conditions. It is here, then, that the system is programmed to conserve only information useful to the management which will then be integrated to that which arises from the cooperation between the manager and specialists through recourse to simulation techniques, becoming an instrument for company decisions on a high executive level. It seems clear that the new philosophy, following the impact of the computer with management, is not only the result of the technical-scientific evolution in the electronic sector, but of new company economical concepts that have placed the old operative schemes and company functioning under discussion. From this point of view, the most relevant aspect is represented by transferring the most significant part of sectional decisions to executive level. In the new company functioning scheme, which considers itself as a “multiple direction and single effect communication” system, the manager, as we have seen, free from routine decisions is able to follow management phenomena whilst extending and refining his own creative capacity. With further technical-scientific progress in the electronic files and the extensive use of operative research and simulation techniques, information will gain an even more preponderantly and significant perspective and
01995 Elsevier Science Ltd
Computer Fraud & Security Bulletin
will end up by conditioning in a rigid way the process of plan formation and company programmes. In this context, the firm will be more the ‘dominion’ of the technicians and specialists (economists, mathematicians) and, because of the always greater automation in management processes, the number of potential low profile employees will diminish. Furthermore, the informative system will have the capacity ‘to grow’ together with the company, that is possess the ability to integrate and correlate the various procedures in more ample and functional systems with the changing company needs. The centre of company life Competition in the market, the even greater necessity to compete on wider grounds and outside of geographically limited situations, has made the informative system even more the centre of company life, dispenser of an enormous bulk or data without any preventive request from the user. Although this situation has allowed the information system and those who run it to reach unhoped-for objectives of prestige, it has not yet allowed for integration of informative/information resources. The next step is the necessity to integrate, to exchange information between different levels, and non-homogeneous systems. It is the phase we are already living today: the exponential growth of communication networks, the continuous birth of databanks accessible everywhere and to everyone, the capacity to treat information with unhoped-for speed using pocket computers, are all phenomena which nowadays allow us to talk about a ‘global village’. A village where the information resource is and will be available to all, where the integration between state (in a wider sense), company and the individual will be ‘global’. The availability of multi-function machines, graphics, sound, with almost unlimited capacity for memorization and filing is now an almost tangible future in a diffuse way, a future already marked out and ready for final use.
15
Computer Fraud & Security Bulletin
April 1995
More and more are we living ‘bathed’ in information: written course
information:
the newspapers,
of
information from voices and images: radio and television information transmitted in the form of computer to computer data: our payments through POS computer networks that dialogue with other computer networks: EDI other technology with which we are only now slowly starting to become familiar with: Videotel Technical Esperanto A universe but also a labyrinth. Information is changing the relationship between citizen and political power, citizen and finance, citizen and bureaucracy. The computer’s language, binary, offers a type of technological Esperanto which exceeds and cancels the barriers between millennial cultures, until a few years ago kept separate. This is the coming revolution of the future, if not of today. It is the first step towards the global village where everyone will communicate with each other and where the primary resource will be information. Supercomputers, expert systems, artificial intelligence, optical fibres etc., offer new methods and instruments to treat and transmit enormous quantities of information in an always more economical way. We are faced with such powerful technology that preparing data will no more be a problem for the employees. The problem will be in distinguishing the really useful data from that of the more numerous, which constitute an annoying background noise, a disturbance. After all, this is also security. How are we preparing to face these changes and how are we preparing to protect ourselves from information?
16
AN IMPORTANT REMINDER Henry B. Wolfe The setting What I am about to discuss is not new. The idea and the technology behind it has been around for at least 10 years and most probably a lot longer. But first, let me set up a few hypothetical scenarios. In the first example we have two law firms who are competitive, it doesn’t matter what side that you choose but if the amount of money at stake were significant (and that means different things to different people), what would it be worth for you to observe the exact information that was appearing on your adversary’s computer screen? Would that information have value to you no matter what side you were on? In the second example: what if you were a software developer in direct competition with a Microsoft? What would it be worth to be able to observe everything that Bill Gates sees on his computer monitor? What would it be worth to be able to observe what targeted vice presidents and/or specific subordinates see on their computer screens? In the third example: as a private citizen you have a home computer as many people do today. How would you feel knowing that everything that you did at that computer was being observed without your permission or without any notification that you were under surveillance? What are we talking about? I suggest that the answer to most of these questions would be that I want the information but I wouldn’t want someone else to be able to gather it about my activities at the computer. The fact is that the capability exists and has been freely available to any organization or individual for many years. Not only has it been freely available but there are no laws that govern access to that information through the means that I am about to
01995 Elsevier Science Ltd
April 1995
acts as a simple high speed and powerful calculating machine. Therefore, with automation, such administrative work as iterative could be carried out achieving the primary objectives, that is, do the same work with speed, precision and security. It seems clear in this light, that simple informative systems do not differ from traditional systems if not by major speed in executing operations and a higher grade of precision.
Let us keep in our minds eye the hacker composite, the Omega player, when reviewing our systemic-holistic security models. Let us add it to our toolkit, so that we can deal with the full security picture, psychological and technical. References B. and Mungo, P., 1992. Approaching Zero Data Crime and the Computer Underworld, Faber & Clough, Faber. Hafner, K. and Markoff, J., 1993. Cyberpunk Outlaws and Hackers on the Computer Frontier, Corgi. B., 1992. The Hacker Crackdown Law and Disorder on the Electronic Frontier, Penguin.
Sterling,
D., 1994. Cyberia Life in the Trenches of Hyperspace, Flamingo. Rushkoff,
Yngstrom, Y., 1992. Towards a Systemic-Holistic Approach to Academic Programs in the Area of IT Security. Dept. of Computer & Systems Sciences, Stockholm University.
HOW TO PROTECT OURSELVES FROM INFORMATION Silvano Ongetta
analyse, even in a summary way, the stages of its evolution, we realise that the role of the informative system in company organization and management has deeply influenced the possibilities of computer application. This, intended as data collection, processing and distribution at points of decision responsible for company life is, in fact, the fundamental resource of the management system, or rather, the ways and means by which a company runs its own business. If we
Simple informative systems In informative systems defined as simple, diverse procedures are mechanized, each independent from the other and the computer
01995
Elsevier Science Ltd
This is also demonstrated by the kind of procedures these systems deal with. They are practically the same as those which in the past were carried out mechanically and even before that manually: salaries, general accounts, current accounts, savings accounts and other similar types. In these informative systems the existing interactions between different elements of the company system were not considered. Later on, faced with the company’s changing and growing needs and the extension of automation to the whole sphere in such a way as to attain an organic, coordinated and well-structured EDP system. Integrated informative systems This tendency has brought about the introduction of integrated informative systems, of which the computer acts as the centre of information processing and sorting, providing likewise elements of decision to the different levels of company organization. The concept of integration is strictly connected to that of the distributive informative system. The latter is based on the development of mini or micro computers at high speed and low cost, able to deal with ‘local’ company operations and more suitable for the geographical decentralization of the organizational structure and business. In this context, importance is gained by the concepts of: l
Inflow from remote points-corresponding to the decentralized positions on which the terminals are situated.
13
Computer Fraud & Security Bulletin
l
l
April 1995
Integrated processing - by which a single piece of information is incorporated and treated in a single sequence by all the systems related to it.
With these systems every application can be converted into informative output each of which, in terms of global utility, is much superior to the advantages that processing offers in the single specific procedure field.
Database - In which the information is accumulated and arranged in a single file to which all the operative programs necessitating access can do so independently, avoiding abundance and inconsistency of disjointed files for separate systems.
Decisional informative systems are formulated precisely to help the management take decisions rationally and not only know certain trends in the management through the process of picking out data. However, they are characterized by a coordinated data flow towards a single processing terminal with the prospective of their use for decisional purposes.
In this way, the diverse procedures appear integrated with each other, ascertaining a more or less complex structure that is capable of connecting the various parts or elements of the company, considering the existing interactions between them. Moreover, areas of risk connected to an informative system of this sort are foreseen: the integration of the application system and the abolition of manual controls of the processing sequence allow for wrongly ascribed data which is not identified ‘at the top’ to be reflected on all files at the same time and the correction of which calls for complicated manual procedures of extraction or transfer of the deviation.
The before mentioned capacity of decisional informative systems to treat the company as a whole, if on the one hand allows general accounts to assume very particular characteristics (that is kept in a ‘synthetic’ way since large amounts of summarized homogeneous operations take place instead of single operations) on the other hand the same data permits refined utilization by means of suitable programs that satisfy the most varied needs of cognitive, decisional and provisional order. After all, apart from these certainly positive characteristics, it must be pointed out that integrated-decisional information theory can also potentially damage the reliability of data.
Decisional informative systems The next step in the integrated informative system is decisional, which defines any kind of integrated system able to process information to be utilized for decisional purposes. At this point, it is necessary to make clear that every step of data processing contains elements useful to decisional purposes. After all, even the traditional procedure of accounting performs this scope. Nether the less, even if in every era and in every moment of the process of economical-social development information has set up the necessary support for taking decisions, only with the employment of the computer has the use of information for decisional purposes been raised to the rank of system.
14
The problems Two new problems must be taken into consideration: firstly, an internal control, directed at preventing the verification of interior deviation to the detriment of the firm and secondly, an external control, with the objective if safeguarding third party rights. Unfortunately, these internal and external needs are too precariously satisfied by the managing of informationalized data and pose further problems as far as filing is concerned because the new means do not offer the same guarantee as ‘paper’ being exposed to risks (not always adequately valued) of alteration and cancellation, either accidentally or voluntary.
01995 Elsevier Science Ltd
April 1995
Besides, automized data treatment tends to suppress the intermediate results, making difficult the relevant control of the bond which must exist between corroborative documents and recapitulation situations. The information systems borne by the computer are not consequently limited to introducing a new operational logic to the company but oblige who works there to think in a new and different way, coherent with the technological developments brought about. But, in my opinion, the most critical aspect of decisional informative systems consists in the necessity to display an enormous quantity of data related to different and continuously renewed and kept up-to-date to allow the system to adapt to the changing environmental conditions. It is here, then, that the system is programmed to conserve only information useful to the management which will then be integrated to that which arises from the cooperation between the manager and specialists through recourse to simulation techniques, becoming an instrument for company decisions on a high executive level. It seems clear that the new philosophy, following the impact of the computer with management, is not only the result of the technical-scientific evolution in the electronic sector, but of new company economical concepts that have placed the old operative schemes and company functioning under discussion. From this point of view, the most relevant aspect is represented by transferring the most significant part of sectional decisions to executive level. In the new company functioning scheme, which considers itself as a “multiple direction and single effect communication” system, the manager, as we have seen, free from routine decisions is able to follow management phenomena whilst extending and refining his own creative capacity. With further technical-scientific progress in the electronic files and the extensive use of operative research and simulation techniques, information will gain an even more preponderantly and significant perspective and
01995 Elsevier Science Ltd
Computer Fraud & Security Bulletin
will end up by conditioning in a rigid way the process of plan formation and company programmes. In this context, the firm will be more the ‘dominion’ of the technicians and specialists (economists, mathematicians) and, because of the always greater automation in management processes, the number of potential low profile employees will diminish. Furthermore, the informative system will have the capacity ‘to grow’ together with the company, that is possess the ability to integrate and correlate the various procedures in more ample and functional systems with the changing company needs. The centre of company life Competition in the market, the even greater necessity to compete on wider grounds and outside of geographically limited situations, has made the informative system even more the centre of company life, dispenser of an enormous bulk or data without any preventive request from the user. Although this situation has allowed the information system and those who run it to reach unhoped-for objectives of prestige, it has not yet allowed for integration of informative/information resources. The next step is the necessity to integrate, to exchange information between different levels, and non-homogeneous systems. It is the phase we are already living today: the exponential growth of communication networks, the continuous birth of databanks accessible everywhere and to everyone, the capacity to treat information with unhoped-for speed using pocket computers, are all phenomena which nowadays allow us to talk about a ‘global village’. A village where the information resource is and will be available to all, where the integration between state (in a wider sense), company and the individual will be ‘global’. The availability of multi-function machines, graphics, sound, with almost unlimited capacity for memorization and filing is now an almost tangible future in a diffuse way, a future already marked out and ready for final use.
15
Computer Fraud & Security Bulletin
April 1995
More and more are we living ‘bathed’ in information: written course
information:
the newspapers,
of
information from voices and images: radio and television information transmitted in the form of computer to computer data: our payments through POS computer networks that dialogue with other computer networks: EDI other technology with which we are only now slowly starting to become familiar with: Videotel Technical Esperanto A universe but also a labyrinth. Information is changing the relationship between citizen and political power, citizen and finance, citizen and bureaucracy. The computer’s language, binary, offers a type of technological Esperanto which exceeds and cancels the barriers between millennial cultures, until a few years ago kept separate. This is the coming revolution of the future, if not of today. It is the first step towards the global village where everyone will communicate with each other and where the primary resource will be information. Supercomputers, expert systems, artificial intelligence, optical fibres etc., offer new methods and instruments to treat and transmit enormous quantities of information in an always more economical way. We are faced with such powerful technology that preparing data will no more be a problem for the employees. The problem will be in distinguishing the really useful data from that of the more numerous, which constitute an annoying background noise, a disturbance. After all, this is also security. How are we preparing to face these changes and how are we preparing to protect ourselves from information?
16
AN IMPORTANT REMINDER Henry B. Wolfe The setting What I am about to discuss is not new. The idea and the technology behind it has been around for at least 10 years and most probably a lot longer. But first, let me set up a few hypothetical scenarios. In the first example we have two law firms who are competitive, it doesn’t matter what side that you choose but if the amount of money at stake were significant (and that means different things to different people), what would it be worth for you to observe the exact information that was appearing on your adversary’s computer screen? Would that information have value to you no matter what side you were on? In the second example: what if you were a software developer in direct competition with a Microsoft? What would it be worth to be able to observe everything that Bill Gates sees on his computer monitor? What would it be worth to be able to observe what targeted vice presidents and/or specific subordinates see on their computer screens? In the third example: as a private citizen you have a home computer as many people do today. How would you feel knowing that everything that you did at that computer was being observed without your permission or without any notification that you were under surveillance? What are we talking about? I suggest that the answer to most of these questions would be that I want the information but I wouldn’t want someone else to be able to gather it about my activities at the computer. The fact is that the capability exists and has been freely available to any organization or individual for many years. Not only has it been freely available but there are no laws that govern access to that information through the means that I am about to
01995 Elsevier Science Ltd