- Email: [email protected]
Educating computer crime investigators
168
IFIP / See ‘85 Abstracts
declared by the system to be the same person who enrolled. We have conducted a series of tests over the last two years collecting more than 28,000 signatures from more than 350 subjects. The error rates in our most recent test were: False rejects 0.19%, False accepts 0.56%.
wide range of potential involvement by both data security and audit personnel demands that senior management know what they can expect from their audit department and have a way of determining whether they are in fact receiving the required information.
HANS-JORGEN KUGLER: Concepts of Protection in the IFIP WG 2.7 Reference Model for Command and Response Languages. A generalised model for protection in command and response languages for object-oriented systems as incorporated in the IFIP WG 2.7 Reference Model is described. This paper discusses what protection aspects have been included in the reference model without implicating decisions about the implementation of naming schemes and the representation of objects. The general protection scheme relies on the typing structure as maintained by the command language system. Therefore the protection scheme can easily be integrated into specialized tailored user interfaces. The objects and operations basic to the protection mechanism are discussed and it is described, what decisions a command language designer would have to make to derive a particular access control scheme from the model.
WILLIAM T. TENER: Decision Support Systems A Necessity for Effective Auditing of Controls. Automation in the corporate environment has produced a wealth of data that can be manipulated and analyzed. Audit scheduling practices inhibit the assurance that controls and effective security practices are present between audit engagements. This paper suggests that audit management utilize decision support systems, management information systems and management science models to identify and project deterioration of controls that can occur between audit engagements.
IVAN EKERBRINK: Security of Electronic Transactions. New competitors, new services, increasing banking markets, new regulations and new techniques alter dramatically the use of computers within banks. From being book keeping tools they have become information processors and decisions makers. Information will in a near future be the most valuable part in the banks. This has increased vulnerability and threats in banking services. This paper will illustrate ways to lower threats in payment systems in the S-E-Bank. JOHN G. BEATSON: Development and Organization of the Audit and Security Functions. A vital aspect of any security programme is that of security management. Data security responsibilities should be delegated to a separate group and both the data security group and the internal audit department must be adequately staffed to meet the requirements of the rapidly changing environment in which they are required to function. The
ROGER T. DOSWELL: The Audit, Control and Security of the Project Life Cycle - Pre-Implementation Stage. This paper details the steps which should be adopted by the EDP Auditor when evaluating the Pre-Implementation stage of a proposed computer programming project. The paper is presented in the form of a checklist for delegates to be able to adapt and adopt for their particular organisations. It is based upon over ten years experience in the field of computer audit and has been used “in the field” by the author and his colleagues. PETER P.C.H. KINGSTON AND MARTIN GOULBOURN: Security for Small Business Computers. Significantly more small businesses are becoming vulnerable because of their reliance on micro computers and the data that they are used to maintain. These businesses cannot afford the prohibitive costs and time involved in securing and protecting large mainframe computers. This paper is a practical approach to resolving these problems using an adaptation of traditional mainframe security and an application of common sense ideas. PHILIP M. STANLEY: Educating Computer Crime Investigators. The knowledge needs of Computer Crime Investigators and hence the education of programmes
IFIP/
Set ‘85 Abstracts
necessary, will vary for each class of investigator. For example, the Auditor will require more EDP knowledge. The Law Enforcement Officer will need both EDP and Audit Knowledge. The EDP expert will need knowledge in investigation techniques and audit. There is a need for a type of MBA course where people from different disciplines, emerge with a good knowledge of each others’ capabilities. The contents of such a course are suggested, with reference to existing courses conducted by the FBI and RCMP. GERALD E. MURINE: Producing
Reliable, Secure Software. The impact of adding additional code, complex design, and other measures to software to inhibit unauthorized use of software systems in turn directly impacts the reliability of the software itself. This paper examines the problem of measuring software reliability in computer security systems and suggests an approach to design in the reliability by making objective measures over the life cycle. The author presents some new concepts which will enable the software developers to measure not only the degree of security being built in the software but also its direct impact on reliability. CHARLESCRESSONWOOD: Establishing
Technical Systems Security Standards at a Large Multinational Bank. Many organizations are jeopardizing long-term systems cost-effectiveness, interoperability, and security by allowing various groups within the organization to make decentralized and uncoordinated technical control decisions. Cost-effective-
169
ness is compromised
because volume vendor discounts and cross-systems controls are often overlooked or unavailable. Interoperability between systems and networks is compromised because the machines cannot readily exchange secure data. Security is compromised because decentralized development teams are creating controls that address only obvious short-term needs. The solution to this serious problem is to develop, promulgate, and enforce organization-wide technical systems security standards. This paper addresses the organizational, political, technical, and project management related matters associated with the development of a bank-wide encryption standards document. The observations and recommended steps are equally applicable to the development of other technical, as opposed to policy oriented or procedural, systems security standards. DONALD W. DAVIES: How to Use the DES Safely. Among the ciphers which are in the public domain, the Data Encryption Standard must have been studied more intensely than any other. Since it is widely used for encipherment and authentication of financial messages, its security is a matter of public concern. As with all ciphers, advances in knowledge and technology can reduce its strength, so that its use then requires more care. This paper reviews what is known about the DES and the precautions needed to use it safely. No guarantee of security can ever be given, since an unsuspected weakness might exist, either in the algorithm or the way it is used. We do not consider, in this paper, the protocols employed in systems incorporating the DESand these need at least as much care as the cipher itself.
IFIP / See ‘85 Abstracts
declared by the system to be the same person who enrolled. We have conducted a series of tests over the last two years collecting more than 28,000 signatures from more than 350 subjects. The error rates in our most recent test were: False rejects 0.19%, False accepts 0.56%.
wide range of potential involvement by both data security and audit personnel demands that senior management know what they can expect from their audit department and have a way of determining whether they are in fact receiving the required information.
HANS-JORGEN KUGLER: Concepts of Protection in the IFIP WG 2.7 Reference Model for Command and Response Languages. A generalised model for protection in command and response languages for object-oriented systems as incorporated in the IFIP WG 2.7 Reference Model is described. This paper discusses what protection aspects have been included in the reference model without implicating decisions about the implementation of naming schemes and the representation of objects. The general protection scheme relies on the typing structure as maintained by the command language system. Therefore the protection scheme can easily be integrated into specialized tailored user interfaces. The objects and operations basic to the protection mechanism are discussed and it is described, what decisions a command language designer would have to make to derive a particular access control scheme from the model.
WILLIAM T. TENER: Decision Support Systems A Necessity for Effective Auditing of Controls. Automation in the corporate environment has produced a wealth of data that can be manipulated and analyzed. Audit scheduling practices inhibit the assurance that controls and effective security practices are present between audit engagements. This paper suggests that audit management utilize decision support systems, management information systems and management science models to identify and project deterioration of controls that can occur between audit engagements.
IVAN EKERBRINK: Security of Electronic Transactions. New competitors, new services, increasing banking markets, new regulations and new techniques alter dramatically the use of computers within banks. From being book keeping tools they have become information processors and decisions makers. Information will in a near future be the most valuable part in the banks. This has increased vulnerability and threats in banking services. This paper will illustrate ways to lower threats in payment systems in the S-E-Bank. JOHN G. BEATSON: Development and Organization of the Audit and Security Functions. A vital aspect of any security programme is that of security management. Data security responsibilities should be delegated to a separate group and both the data security group and the internal audit department must be adequately staffed to meet the requirements of the rapidly changing environment in which they are required to function. The
ROGER T. DOSWELL: The Audit, Control and Security of the Project Life Cycle - Pre-Implementation Stage. This paper details the steps which should be adopted by the EDP Auditor when evaluating the Pre-Implementation stage of a proposed computer programming project. The paper is presented in the form of a checklist for delegates to be able to adapt and adopt for their particular organisations. It is based upon over ten years experience in the field of computer audit and has been used “in the field” by the author and his colleagues. PETER P.C.H. KINGSTON AND MARTIN GOULBOURN: Security for Small Business Computers. Significantly more small businesses are becoming vulnerable because of their reliance on micro computers and the data that they are used to maintain. These businesses cannot afford the prohibitive costs and time involved in securing and protecting large mainframe computers. This paper is a practical approach to resolving these problems using an adaptation of traditional mainframe security and an application of common sense ideas. PHILIP M. STANLEY: Educating Computer Crime Investigators. The knowledge needs of Computer Crime Investigators and hence the education of programmes
IFIP/
Set ‘85 Abstracts
necessary, will vary for each class of investigator. For example, the Auditor will require more EDP knowledge. The Law Enforcement Officer will need both EDP and Audit Knowledge. The EDP expert will need knowledge in investigation techniques and audit. There is a need for a type of MBA course where people from different disciplines, emerge with a good knowledge of each others’ capabilities. The contents of such a course are suggested, with reference to existing courses conducted by the FBI and RCMP. GERALD E. MURINE: Producing
Reliable, Secure Software. The impact of adding additional code, complex design, and other measures to software to inhibit unauthorized use of software systems in turn directly impacts the reliability of the software itself. This paper examines the problem of measuring software reliability in computer security systems and suggests an approach to design in the reliability by making objective measures over the life cycle. The author presents some new concepts which will enable the software developers to measure not only the degree of security being built in the software but also its direct impact on reliability. CHARLESCRESSONWOOD: Establishing
Technical Systems Security Standards at a Large Multinational Bank. Many organizations are jeopardizing long-term systems cost-effectiveness, interoperability, and security by allowing various groups within the organization to make decentralized and uncoordinated technical control decisions. Cost-effective-
169
ness is compromised
because volume vendor discounts and cross-systems controls are often overlooked or unavailable. Interoperability between systems and networks is compromised because the machines cannot readily exchange secure data. Security is compromised because decentralized development teams are creating controls that address only obvious short-term needs. The solution to this serious problem is to develop, promulgate, and enforce organization-wide technical systems security standards. This paper addresses the organizational, political, technical, and project management related matters associated with the development of a bank-wide encryption standards document. The observations and recommended steps are equally applicable to the development of other technical, as opposed to policy oriented or procedural, systems security standards. DONALD W. DAVIES: How to Use the DES Safely. Among the ciphers which are in the public domain, the Data Encryption Standard must have been studied more intensely than any other. Since it is widely used for encipherment and authentication of financial messages, its security is a matter of public concern. As with all ciphers, advances in knowledge and technology can reduce its strength, so that its use then requires more care. This paper reviews what is known about the DES and the precautions needed to use it safely. No guarantee of security can ever be given, since an unsuspected weakness might exist, either in the algorithm or the way it is used. We do not consider, in this paper, the protocols employed in systems incorporating the DESand these need at least as much care as the cipher itself.