- Email: [email protected]
Computer crime vs. internal control systems
Computer
Fraud & Security Bulletin
installation layout and information handling procedures with limited technical checking (sweeping) for the operation of taps and bugs. Level 2. Perhaps worth a limited long term surveillance or a large short term attack. A rider must be that the adversary would need either already to possess the means, both in terms of equipment and personnel, to carry out a large scale attack or be able to employ a contractor who can. Regular electronic sweeping should be instigated. The actual electromagnetic radiation profile of premises should be determined and defensive measures tailored accordingly. File encryption should be routine for all valuable information with consideration given to some selective encryption facilities for speech and fax transmission. Level 3. An adversary might expect an excellent return for long term electronic surveillance. A formal information security policy must be formulated and specifically address all types of threat. A developed security plan will direct the execution of that policy. Detailed security instructions minute the plan’s implementation. A key part of the information security planning is the devolution of responsibility to staff posts not more than one or two levels above that nominated for implementation of specific measures. Classify documents (i.e. finite pieces of information) concerning high value/sensitive items. Handling of such information should be specifically restricted to identified staff posts and particular storing and of processing, means communication. At least part of these means should be TEMPEST protected and have good cryptographic protection.
August
7991
SECURE SYSTEMS MANAGEMENT Computer Crime vs. Internal Control Systems Silvano Ongetta Price Waterhouse Milan, Italy If the United States, a country which has always been in the forefront in the automation of productive
processes,
can be taken
as an
example of what happens in the area of computer crime, then we can only expect difficult times with respect to the security of data. We are fortunate, however, to be able to study
the phenomenon,
negative
experience
to learn of others
from the and make
preparations for an adequate defence. We have to act promptly because, even here in Italy, the problem
of computer
crime
is assuming
enormous proportions both in terms of economic loss and frequency. Each is no longer a case to be studied by a small group of specialists in the field of data security, but has also become a news item. The
news
media
often
openly
reports
computer crimes in abundant detail. I say this in jest, it looks as though the media is almost trying to promote its perpetration. Certain
specialized
computer
magazines
even carry a regular column on these crimes. Level 4. At this level of risk, it must be considered whether commercially available technical countermeasures to electronic surveillance are entirely adequate for the purpose envisaged by the user and, if they are not, how they can be made so. The subject organization’s interest may be best served by establishing its own team with facilities for design, testing and limited production of both software and hardware for some of its own needs. OEloka Services Limited 199 1
10
The problem is there and requires our attention, also because the issue is probably greater, since experts maintain that what becomes news is only the tip of the iceberg. Very often, in fact, the companies which have been damaged by computer frauds do not report what happened and prefer not to divulge the news. This is to avoid alarming their clientele and explicitly admitting that their data security system is not very reliable.
01991
Elsevier Science Publishers Ltd
Computer Fraud & Security Bulletin
August 7997
Also, based on the most recent events, it appears that the impact of this phenomenon which surrounds the computer world has been
.
understated and, at the same time, the security
of duties.
measures adopted have been overstated, since they are often not the result
of ponderous
choices, following careful analysis, but rather
.
The majority of companies, moreover, treat decidedly technical
subject
The lack of classification of data with the consequent undifferentiated treatment applied to critical as well as vital data.
considerations dictated by emotional factors.
the subject of security and reliability of data as a
The inadequacy of the company organization when there is not an acceptable separation
.
The indiscriminate and frequent use of software instruments which, however, were only created for the purpose of resolving emergency situations.
.
The lack of supervision over fundamental operations such as the control over the integrity of the operating system, databases and application programs.
.
The inadequacy of the procedures which govern logical access (control over passwords).
.
The uncertain awareness of personnel on the necessity of safeguarding company data.
.
The weaknesses in the operating controls capable of minimizing the risks of errors and irregularities which may arise from using the computer and other computer related equipment.
.
The lack of assurance that the new and revised application procedures satisfy user demands, function in a satisfactory way before being put into use, and are correctly implemented.
0
The inadequacy of the procedures which regulate physical access to the computer area and, in general, all restricted areas.
.
The difficulty in ensuring the reliability of data (in the case of brief interruptions) caused by inefficient recovery and restart procedures.
and, therefore,
something to be relegated to the discretion and professional expertise of computer specialists. This circumstance derives from the fact that management is only now starting to become familiar with computer data and normally is not very willing to also become involved with areas related to security. Its involvement, therefore, tends to be superficial and not incisive and responsible,
while its role, even in this area,
should be decisive. Something
should
be done so that the
companies become aware of certain topics, so that they assume an attitude which we would define
as watchful
toward
the security
of
company information systems, so that adequate resources problems
are allocated to the study of the and an examination of the
countermeasures and, lastly, so that all company initiatives regarding the reliability and security of data are sufficiently coordinated. These
actions should not be sporadic, not
based on the capability and desires of single and isolated individuals, but should represent a real and proper security policy which clearly defines objectives and establishes the steps and the instruments in reaching them. For this purpose it is necessary to remember that computer crimes are almost always the eclectic and painful manifestation of a larger and many faceted problem, which almost always has its roots in:
From this, it can easily be assumed that the priorities in security measures should not normally consist of setting up specific anti-fraud barriers but in establishing an adequate system
01991
Elsevier Science Publishers Ltd
11
Computer Fraud & Security Bulletin
of internal
August 1991
control which permits the proper
They should, as these are the books that the
management of thecompany information system
hackers are reading. Among the hacker or the
on a daily basis.
cyberpunk crowd it appears that Gibson is the author to read. In his books Gibson speaks of
In fact, it should be remembered that the majority of problems in the information field arise from errors, and if it is possible to prevent errors, then it is almost always possible to confirm those situations where errors are wanted and premeditated. To sufficiently ensure that the company’s system is error proof it would be necessary to carry out periodic checks of its reliability.
cowboys’ and ‘console men’, ‘keyboard ‘cyberspace’. The latter in particular has become a term that the press and hackers alike tend to bat around. In
experienced operators, taught
These tests must ascertain that, within the company’s sphere of activity, adequate procedures have been defined and activated for the safeguarding of information. Afterwards, corrective action should be taken with respect to the weakness noted and procedures should be instituted which are useful in the strengthening and improvement of the existing level of internal control. After these actions have been taken, there will be a more reliable, more secure (remembering that absolute security is not economically feasible) and certainly a better understood information system, and this is avery important result.
Neuromancer G i b son defined “a consensual hallucination
cyberspace;
daily
by billions
of legitimate
in every nation, by children being
abstract
mathematical
concepts...
A
graphical representation of data abstracted from the banks of every computer
in the human
system. Unthinkable complexity.” In other words, computers and computer networks. Given the old proverb ‘know thy enemy’, it would be worth picking up a copy of Gibson’s work for an insight into the cyberpunWhacker culture and their mindset. Gibson’s books are published by Ace Books, The Berkely Publishing Group, 200 Madison Avenue,
New York, NY
10016, USA.
The Computer Underground Digest Another source of hacker information is The
At this point is will be easier to safeguard information against fraudulent attacks since it will only be necessary to enlarge the field of inquiry and the
level
of investigation
to identify
Computer
Underground
Digest (CUD).
The
publishers of CUD describe the title as “an open forum dedicated to sharing computer information
necessary and appropriate security measures,
among computerists and to the presentation of diverse views.” CUD is available on Internet from
both as a means of protection and for the timely identification of phenomena considered
cudarch@chsunl .uchicago.edu. Back issues are available on CompuServe in DLO of the
anomalous.
IBMBBS.
REVIEWING THE BOOKS
overzealous law enforcement, media distortions, crime and ethics in the cyber-frontier and a review of Mondo 2000, a counter culture magazine. This CUD describes as “a sort of cyberpunk/PoMo/discordian publication
In a recent issue of CUD such topics as
Know your enemy! Do the books Neuromancer,
Count Zero, Mona Lisa Overdrive and Burning Chrome by author William Gibson mean anything to you?
12
covering such diverse and fascinating topics as designer drugs, a congressional assault on the constitution, growth hormones, cybernetic
01991
Elsevier Science Publishers Ltd
Fraud & Security Bulletin
installation layout and information handling procedures with limited technical checking (sweeping) for the operation of taps and bugs. Level 2. Perhaps worth a limited long term surveillance or a large short term attack. A rider must be that the adversary would need either already to possess the means, both in terms of equipment and personnel, to carry out a large scale attack or be able to employ a contractor who can. Regular electronic sweeping should be instigated. The actual electromagnetic radiation profile of premises should be determined and defensive measures tailored accordingly. File encryption should be routine for all valuable information with consideration given to some selective encryption facilities for speech and fax transmission. Level 3. An adversary might expect an excellent return for long term electronic surveillance. A formal information security policy must be formulated and specifically address all types of threat. A developed security plan will direct the execution of that policy. Detailed security instructions minute the plan’s implementation. A key part of the information security planning is the devolution of responsibility to staff posts not more than one or two levels above that nominated for implementation of specific measures. Classify documents (i.e. finite pieces of information) concerning high value/sensitive items. Handling of such information should be specifically restricted to identified staff posts and particular storing and of processing, means communication. At least part of these means should be TEMPEST protected and have good cryptographic protection.
August
7991
SECURE SYSTEMS MANAGEMENT Computer Crime vs. Internal Control Systems Silvano Ongetta Price Waterhouse Milan, Italy If the United States, a country which has always been in the forefront in the automation of productive
processes,
can be taken
as an
example of what happens in the area of computer crime, then we can only expect difficult times with respect to the security of data. We are fortunate, however, to be able to study
the phenomenon,
negative
experience
to learn of others
from the and make
preparations for an adequate defence. We have to act promptly because, even here in Italy, the problem
of computer
crime
is assuming
enormous proportions both in terms of economic loss and frequency. Each is no longer a case to be studied by a small group of specialists in the field of data security, but has also become a news item. The
news
media
often
openly
reports
computer crimes in abundant detail. I say this in jest, it looks as though the media is almost trying to promote its perpetration. Certain
specialized
computer
magazines
even carry a regular column on these crimes. Level 4. At this level of risk, it must be considered whether commercially available technical countermeasures to electronic surveillance are entirely adequate for the purpose envisaged by the user and, if they are not, how they can be made so. The subject organization’s interest may be best served by establishing its own team with facilities for design, testing and limited production of both software and hardware for some of its own needs. OEloka Services Limited 199 1
10
The problem is there and requires our attention, also because the issue is probably greater, since experts maintain that what becomes news is only the tip of the iceberg. Very often, in fact, the companies which have been damaged by computer frauds do not report what happened and prefer not to divulge the news. This is to avoid alarming their clientele and explicitly admitting that their data security system is not very reliable.
01991
Elsevier Science Publishers Ltd
Computer Fraud & Security Bulletin
August 7997
Also, based on the most recent events, it appears that the impact of this phenomenon which surrounds the computer world has been
.
understated and, at the same time, the security
of duties.
measures adopted have been overstated, since they are often not the result
of ponderous
choices, following careful analysis, but rather
.
The majority of companies, moreover, treat decidedly technical
subject
The lack of classification of data with the consequent undifferentiated treatment applied to critical as well as vital data.
considerations dictated by emotional factors.
the subject of security and reliability of data as a
The inadequacy of the company organization when there is not an acceptable separation
.
The indiscriminate and frequent use of software instruments which, however, were only created for the purpose of resolving emergency situations.
.
The lack of supervision over fundamental operations such as the control over the integrity of the operating system, databases and application programs.
.
The inadequacy of the procedures which govern logical access (control over passwords).
.
The uncertain awareness of personnel on the necessity of safeguarding company data.
.
The weaknesses in the operating controls capable of minimizing the risks of errors and irregularities which may arise from using the computer and other computer related equipment.
.
The lack of assurance that the new and revised application procedures satisfy user demands, function in a satisfactory way before being put into use, and are correctly implemented.
0
The inadequacy of the procedures which regulate physical access to the computer area and, in general, all restricted areas.
.
The difficulty in ensuring the reliability of data (in the case of brief interruptions) caused by inefficient recovery and restart procedures.
and, therefore,
something to be relegated to the discretion and professional expertise of computer specialists. This circumstance derives from the fact that management is only now starting to become familiar with computer data and normally is not very willing to also become involved with areas related to security. Its involvement, therefore, tends to be superficial and not incisive and responsible,
while its role, even in this area,
should be decisive. Something
should
be done so that the
companies become aware of certain topics, so that they assume an attitude which we would define
as watchful
toward
the security
of
company information systems, so that adequate resources problems
are allocated to the study of the and an examination of the
countermeasures and, lastly, so that all company initiatives regarding the reliability and security of data are sufficiently coordinated. These
actions should not be sporadic, not
based on the capability and desires of single and isolated individuals, but should represent a real and proper security policy which clearly defines objectives and establishes the steps and the instruments in reaching them. For this purpose it is necessary to remember that computer crimes are almost always the eclectic and painful manifestation of a larger and many faceted problem, which almost always has its roots in:
From this, it can easily be assumed that the priorities in security measures should not normally consist of setting up specific anti-fraud barriers but in establishing an adequate system
01991
Elsevier Science Publishers Ltd
11
Computer Fraud & Security Bulletin
of internal
August 1991
control which permits the proper
They should, as these are the books that the
management of thecompany information system
hackers are reading. Among the hacker or the
on a daily basis.
cyberpunk crowd it appears that Gibson is the author to read. In his books Gibson speaks of
In fact, it should be remembered that the majority of problems in the information field arise from errors, and if it is possible to prevent errors, then it is almost always possible to confirm those situations where errors are wanted and premeditated. To sufficiently ensure that the company’s system is error proof it would be necessary to carry out periodic checks of its reliability.
cowboys’ and ‘console men’, ‘keyboard ‘cyberspace’. The latter in particular has become a term that the press and hackers alike tend to bat around. In
experienced operators, taught
These tests must ascertain that, within the company’s sphere of activity, adequate procedures have been defined and activated for the safeguarding of information. Afterwards, corrective action should be taken with respect to the weakness noted and procedures should be instituted which are useful in the strengthening and improvement of the existing level of internal control. After these actions have been taken, there will be a more reliable, more secure (remembering that absolute security is not economically feasible) and certainly a better understood information system, and this is avery important result.
Neuromancer G i b son defined “a consensual hallucination
cyberspace;
daily
by billions
of legitimate
in every nation, by children being
abstract
mathematical
concepts...
A
graphical representation of data abstracted from the banks of every computer
in the human
system. Unthinkable complexity.” In other words, computers and computer networks. Given the old proverb ‘know thy enemy’, it would be worth picking up a copy of Gibson’s work for an insight into the cyberpunWhacker culture and their mindset. Gibson’s books are published by Ace Books, The Berkely Publishing Group, 200 Madison Avenue,
New York, NY
10016, USA.
The Computer Underground Digest Another source of hacker information is The
At this point is will be easier to safeguard information against fraudulent attacks since it will only be necessary to enlarge the field of inquiry and the
level
of investigation
to identify
Computer
Underground
Digest (CUD).
The
publishers of CUD describe the title as “an open forum dedicated to sharing computer information
necessary and appropriate security measures,
among computerists and to the presentation of diverse views.” CUD is available on Internet from
both as a means of protection and for the timely identification of phenomena considered
cudarch@chsunl .uchicago.edu. Back issues are available on CompuServe in DLO of the
anomalous.
IBMBBS.
REVIEWING THE BOOKS
overzealous law enforcement, media distortions, crime and ethics in the cyber-frontier and a review of Mondo 2000, a counter culture magazine. This CUD describes as “a sort of cyberpunk/PoMo/discordian publication
In a recent issue of CUD such topics as
Know your enemy! Do the books Neuromancer,
Count Zero, Mona Lisa Overdrive and Burning Chrome by author William Gibson mean anything to you?
12
covering such diverse and fascinating topics as designer drugs, a congressional assault on the constitution, growth hormones, cybernetic
01991
Elsevier Science Publishers Ltd