- Email: [email protected]
Datatheft: Computer fraud, industrial espionage and information crime
Vol. 10, No. 4, Page 14
safeguards for reducing that risk. The laboratory will be used to conduct research and provide the tools, techniques and guidance needed to conduct this process. Other uses planned for the laboratory include helping federal agencies select and use commercial risk management software and providing a clearing house for information on risk analysis and management for the Federal Government. For further information, contact: Dennis Steinauer, Institute for Computer Sciences and Technoggy, Rm B266 Technology Building, National Bureau of Standards, Gaithersburg, MD 20899, USA; tel: 301 975-3357.
ACCESS CONTROL SOFTWARE SURVEY
Management consultants Peat Marwick McLintock are carrying out a detailed survey on the use of access control software in the UK. Users of the RACF, ACF2 and TOP SECRET access control packages will be asked to complete, in strict confidence, a questionnaire on their use of these products. Peat Marwick McLintock say that they have not yet had a lot of replies from RACF users and are keen to hear from them. For further information, contact: Brian Parsons, Peat Marwick McLintock, PO Box 486, 1 Puddle Dock, Blackfriars, London EC4V 3PD, UK; tel: 01-236-8000, ext: 5291. Companies which send in completed questionnaires will receive a free copy of the published report.
BOOK REVIEWS
Title:
Datatheft: information crime.
Computer
fraud,
industrial
espionage
and
Author: Hugo Cornwall. Publisher: Heinemann, London, price f14.95. This is a thorough book giving not only details of crimes connected with the use of computers in the modern world, but also an explanatory history of the rapid, and continuing, technical developments that have enabled such crimes. It is instructive to read about products launched within the last 20 years being discussed as "history". In many cases, the companies and individuals referred to in are actually named, a great improvement over similar publications which resort to a cloak of anonymity to hide a multitude of sins. The explanations of the various techniques that can be employed to perpetrate a crime are thorough, and very easy to understand. It is difficult to define exactly what computer crime is (as opposed to other sorts of crimes). Many crimes that used to be carried out manually, now work best when aided by a remote computer system. Datatheft makes this point crystal clear; in most cases a computer is almost incidental.
Datatheft
In discussing computer crime, I can think of no better words than a quote from Datatheft - "The only true method of prevention is a generation of executives and managers who are 0 1988
COMPUTER FRAUD & SECURITY BULLETIN
Elsevier
Science
Publishers
6.V..
Amsterdam.k?8l$O.O0
+ 2.20
No part of this publication may be reproduced, stored in a retrieval system, of transmitted by any form or by any means. electronic, mechanical. photocopying. recording or otherwise. without the prior permissmn of the publishers. (Readers in the U.S.A. - please see special regulations listed on back cover )
Vol. 10, No. 4, Page 15
prepared to understand how far the organizations they run are dependent on computers and those who have access to them." No matter what the current statistics are on computer crime (Datatheft explains succinctly that exact figures are not known), management methodology is the key to storing data with a reasonable level of security. If current controls allow people to do something, then you should not be surprised if it gets tried out. Datatheft points out that no matter what the current Government may preach, anxiety about "Social Security fraud" is out of all proportion when you compare the possible returns from tax evasion and from business fraud. The author is unlikely to receive a knighthood for this and other home truths about whitecollar crime. Indeed, one of the most illuminating parts of the book examines the problem that many computer-related crimes are perceived as being almost a legitimate action, a sport rather than an illegal act.
My only real criticisms of the book are that at 371 pages, it is perhaps a bit overlong, and having given such voluminous detail of other people's dark secrets, the author finds it necessary to use a pseudonym (Hugo Cornwall). However, such comments are merely nit-picking on what is an excellent volume. I actually sat down and read Datatheft from cover to cover. How many reviewers can say hand on heart that a book interested them enough to do that? Datatheft deserves a wide circulation, it is clearly written, assumes no previous technical expertise, and should prove of great interest to anyone with managerial responsibilities, as well as security professionals. Keith Jackson
Title: Computer Security - Comprehensive Controls Checklist Contributors: Charles Cresson Wood, William W Banks, Sergio B Guarro, Abel A Garcia, Viktor E Hampel, Henry P Sartorio. Edited by Abel A Garcia, published by John Wiley & Sons, Baffins Lane, Chichester, West Sussex PO19 lUD, UK. This book is based upon a series of checklists which originated from a project carried out at the Lawrence Livermore National Laboratory for the US Air Force Logistics Command. The preface qualifies the usage of the book inasmuch as achieving a high level of security is a difficult process which does not result from a one-off examination of a system; it is the result of reasonably frequent examinations of strengths and weaknesses. The checklists are divided into two sections - Security, with sub-sections including personnel policies, organizational structure, physical access, data and program access, and telecoms; and Survivability, with sub-sections on environment and back-up recovery. The relative importance of the checklist controls is indicated by a scale of five levels - very high, high, medium, low, very low. A system of expressing the results numerically is also supplied.
COMPUTER FRAUD & SECURITY BULLETIN
o 1988 Elsevier Science Publishers B.V.. Amsterdam./88/$0.00 + 2.20 No part of this publication may be reproduced. stored in a retrieval system, of transmitted by any form or by any means. electronic. mechanical. photocopying. recording or otherwise. with&t the pnor permusmn of the publishers. [Readers in the U.S.A. ~ please see special regulations listed on back cover.)
safeguards for reducing that risk. The laboratory will be used to conduct research and provide the tools, techniques and guidance needed to conduct this process. Other uses planned for the laboratory include helping federal agencies select and use commercial risk management software and providing a clearing house for information on risk analysis and management for the Federal Government. For further information, contact: Dennis Steinauer, Institute for Computer Sciences and Technoggy, Rm B266 Technology Building, National Bureau of Standards, Gaithersburg, MD 20899, USA; tel: 301 975-3357.
ACCESS CONTROL SOFTWARE SURVEY
Management consultants Peat Marwick McLintock are carrying out a detailed survey on the use of access control software in the UK. Users of the RACF, ACF2 and TOP SECRET access control packages will be asked to complete, in strict confidence, a questionnaire on their use of these products. Peat Marwick McLintock say that they have not yet had a lot of replies from RACF users and are keen to hear from them. For further information, contact: Brian Parsons, Peat Marwick McLintock, PO Box 486, 1 Puddle Dock, Blackfriars, London EC4V 3PD, UK; tel: 01-236-8000, ext: 5291. Companies which send in completed questionnaires will receive a free copy of the published report.
BOOK REVIEWS
Title:
Datatheft: information crime.
Computer
fraud,
industrial
espionage
and
Author: Hugo Cornwall. Publisher: Heinemann, London, price f14.95. This is a thorough book giving not only details of crimes connected with the use of computers in the modern world, but also an explanatory history of the rapid, and continuing, technical developments that have enabled such crimes. It is instructive to read about products launched within the last 20 years being discussed as "history". In many cases, the companies and individuals referred to in are actually named, a great improvement over similar publications which resort to a cloak of anonymity to hide a multitude of sins. The explanations of the various techniques that can be employed to perpetrate a crime are thorough, and very easy to understand. It is difficult to define exactly what computer crime is (as opposed to other sorts of crimes). Many crimes that used to be carried out manually, now work best when aided by a remote computer system. Datatheft makes this point crystal clear; in most cases a computer is almost incidental.
Datatheft
In discussing computer crime, I can think of no better words than a quote from Datatheft - "The only true method of prevention is a generation of executives and managers who are 0 1988
COMPUTER FRAUD & SECURITY BULLETIN
Elsevier
Science
Publishers
6.V..
Amsterdam.k?8l$O.O0
+ 2.20
No part of this publication may be reproduced, stored in a retrieval system, of transmitted by any form or by any means. electronic, mechanical. photocopying. recording or otherwise. without the prior permissmn of the publishers. (Readers in the U.S.A. - please see special regulations listed on back cover )
Vol. 10, No. 4, Page 15
prepared to understand how far the organizations they run are dependent on computers and those who have access to them." No matter what the current statistics are on computer crime (Datatheft explains succinctly that exact figures are not known), management methodology is the key to storing data with a reasonable level of security. If current controls allow people to do something, then you should not be surprised if it gets tried out. Datatheft points out that no matter what the current Government may preach, anxiety about "Social Security fraud" is out of all proportion when you compare the possible returns from tax evasion and from business fraud. The author is unlikely to receive a knighthood for this and other home truths about whitecollar crime. Indeed, one of the most illuminating parts of the book examines the problem that many computer-related crimes are perceived as being almost a legitimate action, a sport rather than an illegal act.
My only real criticisms of the book are that at 371 pages, it is perhaps a bit overlong, and having given such voluminous detail of other people's dark secrets, the author finds it necessary to use a pseudonym (Hugo Cornwall). However, such comments are merely nit-picking on what is an excellent volume. I actually sat down and read Datatheft from cover to cover. How many reviewers can say hand on heart that a book interested them enough to do that? Datatheft deserves a wide circulation, it is clearly written, assumes no previous technical expertise, and should prove of great interest to anyone with managerial responsibilities, as well as security professionals. Keith Jackson
Title: Computer Security - Comprehensive Controls Checklist Contributors: Charles Cresson Wood, William W Banks, Sergio B Guarro, Abel A Garcia, Viktor E Hampel, Henry P Sartorio. Edited by Abel A Garcia, published by John Wiley & Sons, Baffins Lane, Chichester, West Sussex PO19 lUD, UK. This book is based upon a series of checklists which originated from a project carried out at the Lawrence Livermore National Laboratory for the US Air Force Logistics Command. The preface qualifies the usage of the book inasmuch as achieving a high level of security is a difficult process which does not result from a one-off examination of a system; it is the result of reasonably frequent examinations of strengths and weaknesses. The checklists are divided into two sections - Security, with sub-sections including personnel policies, organizational structure, physical access, data and program access, and telecoms; and Survivability, with sub-sections on environment and back-up recovery. The relative importance of the checklist controls is indicated by a scale of five levels - very high, high, medium, low, very low. A system of expressing the results numerically is also supplied.
COMPUTER FRAUD & SECURITY BULLETIN
o 1988 Elsevier Science Publishers B.V.. Amsterdam./88/$0.00 + 2.20 No part of this publication may be reproduced. stored in a retrieval system, of transmitted by any form or by any means. electronic. mechanical. photocopying. recording or otherwise. with&t the pnor permusmn of the publishers. [Readers in the U.S.A. ~ please see special regulations listed on back cover.)