- Email: [email protected]
Securicom '84
and two other forms of related industrial counterfeiting (industrial espionage and paralleling) were discussed in this presentation. The purpose of K. Rawlins’ (E.C. Darwin Clayton & Co. Ltd., Nottingham) lecture was to consider the role of insurance and the security industry within the total responsibility of company and risk management and to give the conference some idea of the spectrum of insurance cover currently available, and the special needs of the security industry. Industrial espionage is unethical and is sometimes illegal but it does exist. P.A. Heims (P.A.
Heims Ltd.. Leatherhead) reported on the subject. methods of attack and hardware in use. P. Wilkinson (University of Aberdeen, Scotland) examined the ways in which terrorists try to use the media, and how effectively their media strategies serve their overall and tactical aims. The proceedings of this conference have been published by IPSA. For further information, contact: the International Secretary, I.P.S.A., 292A Torquay Road, Paignton, Devon, TQ3 2ET, UK.
Securicom ‘84 Charles Cresson Wood *
This Report provides some highlights of the presentations made at “Securicom ‘84”, the Worldwide Congress on Computer and Communications Security and Protection, which took place in Cannes, France, from 29 February to 2 March 1984. It was attended by approximately 200 professionals working in the field. The conference had something for everyone attending, be they interested in the legal, technical, managerial, or auditing aspects of computer and communications security. The combination of many different speakers from countries throughout the world gave the audience a unique perspective on current practices and innovations coming from both research and industrial organizations. Because only half an hour was available to each speaker, presentations tended to be high-level summaries rather than explicit treatments of the technical details involved. Due to these time constraints, many of the speakers were not able to fully develop their ideas (a * Note: The views expressed herein are solely author, and not those of the Bank of America.
those
of the
matter exacerbated by the fact that many of us had to struggle with simultaneous translation). Nevertheless, the conference provided a valuable and enlightening perspective, as well as a number of interesting ideas that made attendance worthwhile. Churles Gurrigues of the French Agence d’lnformatique cited a 1981 study of some 200 commercial firms in Belgium that has not been widely publicized. He said that the study broke the causes of computer security problems into four specific categories and provided relative frequencies for each of these causes: breakdown (45%), physical problems (27%), handling errors and omissions (20%), willful and intentional acts (5%). and other causes (3%). It is notable that the actual percentage of incidents caused by willful and intentional acts is quite small, while the news media would have us believe otherwise. Garrigues appropriately pointed out that many of the abovementioned causes of computer security problems can be at least in part addressed with additional training and sensitization programs. He concluded his presentation with an indication of his government agency’s plans to educate the French populace about computer security with such ideas as: information from a computer should not automatically be assumed to be accurate and reliable, because computers are designed by, programmed
Conjerencc Reporrs
by, and run by fallible human beings. Stein Schjolberg, Assistant Commissioner of the Oslo (Norway) Police, compared the computer crime laws of various countries. He pointed out that the penal codes are best not relied upon as the major method for addressing computer abuses. Appropriate management procedures, personnel policies, and civil remedies are some other important approaches. Schjolberg, drawing on his previous work at Stanford Research Institute (USA), defined a computer crime as any illegal act that requires some special technical computer knowledge for either its perpetration, investigation, or prosecution. He discussed the need to legally recognize information property rights as one set of rights falling within the purview of what is known legally as “material rights”. Because information itself is not a physical thing, courts throughout the world have been laboring over the extent to which information should be treated like other material property. Schjolberg described a number of loopholes in current statutes, such as no clauses for the unauthorized appropriation of computer services. He strongly recommended that each country evaluate its penal codes to make sure that computer abuse is appropriately covered. Jew Pierre Chumoux and his wife, both with Droit et Informatique in France, presented the results of a study conducted last year that examined the vulnerability of computers in Europe. The survey involved respondents in France, the UK, Italy, Belgium, Switzerland, and the Federal Republic of Germany. Users interviewed felt that the greatest risks involved accidental events such as fire, water, electrical, and human carelessness problems. Of particular concern was the proliferation of microcomputers. The recent rapid increases in the number of these computer systems has dispersed risks to users who are not adequately prepared to fight against computer security problems. To address this lack, Chamoux recommended that firms concentrate their efforts on training people who work with microcomputers. Intentional acts involving computers, and the degree to which such acts are a real versus a perceived threat, were also discussed. Chamoux stated that, to address intentional acts, insurance is the most needed additional precaution. He said that more medium and small firms should be taking advantage of the new types of coverage that have recently been made avail-
141
able. This author takes exception to the perspective that insurance should be considered as just another control, in some sense substitutable for other controls. Insurance should be used for the residual risk that cannot be dealt with or is not economically dealt with by other controls. Ms. M. Guimezanes, a French lawyer and professor at Faculte de Droit, Paris, provided a thought-provoking presentation on the formation of legal contracts via electronic mail such as telex. She pointed out that, although they have not been legally recognized, in the past, contracts without hand-rendered signatures have been formed and observed. The threat of being excluded from the business community (i.e. being black-listed) kept people honest and caused them to honor contracts so entered into. At least according to French law, contracts are provable with any method not explicitly excluded by the civil code. Telex numbers and other electronic methods for rendering a signature are not excluded. Guimezanes proposed a modification of telex numbers, involving unique digital signatures, as a legally binding method for the formation of provable (binding) contracts. She discussed the legal idea of an original document as interpreted in a computerized environment; the original document would of course serve as the authoritative reference for settling disputes. With telex, several “documents” (representations) rather than one original document could exist; furthermore, determining that a machine generated document is an original rather than an altered copy poses additional problems. Also covered was the fact that new questions about the time of the formation of a contract will arise when electronic mail methods like telex are used. More specifically, when a contract was made face-to-face, there was no question as to when the contract was formed; when electronic mail is used, the delay associated with the store-and-forward transmission media leads one to question whether the contract was formed at the time it was sent, or at the time that it was received. Guimezanes concluded by defining the legal characteristics that digital signatures need to possess. These included: unique identification of the parties providing such digital signatures, and an indication that the rendering of a digital signature was the will of the participating party (e.g. it was provided without duress).
Ken Wong. Manager of Computer Security Consulting at BIS Applied Systems (in the UK), has over the last few years compiled an impressive collection of computer abuse cases. He presented some tabulations of these cases and drew some conclusions based on the tabulations. His work is available as a series of reports; due to space limitations, only a small portion of his material can be presented here. Overall, Wong found that UK computer abuse cases involved losses of the following types (frequencies are shown in parentheses): arson and bombing (19%). covert sabotage such as computer operators intentionally making “ mistakes” (19%) theft of information and related media (15%). system penetration (10%) logic bombs - i.e. computer programs set to execute when a particular set of internal computer conditions prevail ~ (8%) overt damage (8%). and theft of equipment (21%). In his presentation, Wong focused on disaster cases that caused significant losses. Of these, fully 48% involved fire and/or explosion. The largest losses involved arson some 50% of the time; the greatest damage was sustained when the victim firm did not have automatic fire detection and suppression equipment. Arson and bombing incidents typically took place at night, most often on Saturday or Sunday and when systems were unattended. Of the cases involving fire, and not necessarily resulting in disasterous results, Wong named five causes: arson (32%), electrical problems such as overheating (26%) air-conditioning malfunction - often due to inadequate maintenance - (ll%), poor housekeeping (8%) and other factors out of the systems management’s control (4%). Wong also related that computer abuse incidents were twice as likely to be caused by males as females; he speculated that this was a function of the greater number of males employed in data processing, rather than the possibility that the women were smarter (less often caught) or in some way less inclined to engage in such activities. His studies indicated that when managers were perpetrators, the losses were much greater than when lower level employees were the perpetrators; apparently, said Wong, because managers are greedier.
Wong described how computer abuses were typically discovered in the UK. His case analyses indicate that 14% were discovered by auditors. 6% by control procedures, 8% by management, 7% by colleagues, 4% by complaining customers, 8% by tip-offs or by the police. and 17% by chance inquiries or accidents. The remaining 35% of his cases did not have a specified method for discovering the abusive acts. The poor showing by auditors and control procedures indicates that much remains to be done in the computer abuse detection area. A. Brignone of Protexarms in France delivered an intriguing paper on how one goes about detecting a wiretap. He discussed the places most likely to be the site of a wiretap, such as a building switching closet, as well as the methods that are likely to be used to accomplish a wiretap, such as the physical fastening of a connector to a wire or the interception of acoustical/electromagnetic emanations. Of particular note were the devices mentioned that enabled the line characteristics to be monitored; when the frequency spectrum or other characteristics change, such changes can be automatically detected. A change of the line characteristics could be an indication of a physical wiretap. The merits of using optical fibers for land telecommunications lines were presented; reportedly, this new technology makes physical wiretapping without detection nearly impossible, and also makes interception of line emanations extremely difficult. A number of other excellent presentations were given on diverse topics such as building a secure network node (W.J. Cue/ii with Eracom in Australia), office automation security procedures ( W.A.J. Bound with Computer Sciences Corporation in the UK), using the USA Data Encryption Standard (DES) to provide digital signatures (Curl Meyer with IBM in the USA), preparation of a disaster recovery plan (J.P. Michels with Honeywell Bull in Belgium), and of course, using data dictionaries to increase information security (Charles Wood with Bank of America in the USA). For further information, please contact: Securicom 84, SEDEP, 8 rue de la Michodibe, 75002 Paris, France.
Heims Ltd.. Leatherhead) reported on the subject. methods of attack and hardware in use. P. Wilkinson (University of Aberdeen, Scotland) examined the ways in which terrorists try to use the media, and how effectively their media strategies serve their overall and tactical aims. The proceedings of this conference have been published by IPSA. For further information, contact: the International Secretary, I.P.S.A., 292A Torquay Road, Paignton, Devon, TQ3 2ET, UK.
Securicom ‘84 Charles Cresson Wood *
This Report provides some highlights of the presentations made at “Securicom ‘84”, the Worldwide Congress on Computer and Communications Security and Protection, which took place in Cannes, France, from 29 February to 2 March 1984. It was attended by approximately 200 professionals working in the field. The conference had something for everyone attending, be they interested in the legal, technical, managerial, or auditing aspects of computer and communications security. The combination of many different speakers from countries throughout the world gave the audience a unique perspective on current practices and innovations coming from both research and industrial organizations. Because only half an hour was available to each speaker, presentations tended to be high-level summaries rather than explicit treatments of the technical details involved. Due to these time constraints, many of the speakers were not able to fully develop their ideas (a * Note: The views expressed herein are solely author, and not those of the Bank of America.
those
of the
matter exacerbated by the fact that many of us had to struggle with simultaneous translation). Nevertheless, the conference provided a valuable and enlightening perspective, as well as a number of interesting ideas that made attendance worthwhile. Churles Gurrigues of the French Agence d’lnformatique cited a 1981 study of some 200 commercial firms in Belgium that has not been widely publicized. He said that the study broke the causes of computer security problems into four specific categories and provided relative frequencies for each of these causes: breakdown (45%), physical problems (27%), handling errors and omissions (20%), willful and intentional acts (5%). and other causes (3%). It is notable that the actual percentage of incidents caused by willful and intentional acts is quite small, while the news media would have us believe otherwise. Garrigues appropriately pointed out that many of the abovementioned causes of computer security problems can be at least in part addressed with additional training and sensitization programs. He concluded his presentation with an indication of his government agency’s plans to educate the French populace about computer security with such ideas as: information from a computer should not automatically be assumed to be accurate and reliable, because computers are designed by, programmed
Conjerencc Reporrs
by, and run by fallible human beings. Stein Schjolberg, Assistant Commissioner of the Oslo (Norway) Police, compared the computer crime laws of various countries. He pointed out that the penal codes are best not relied upon as the major method for addressing computer abuses. Appropriate management procedures, personnel policies, and civil remedies are some other important approaches. Schjolberg, drawing on his previous work at Stanford Research Institute (USA), defined a computer crime as any illegal act that requires some special technical computer knowledge for either its perpetration, investigation, or prosecution. He discussed the need to legally recognize information property rights as one set of rights falling within the purview of what is known legally as “material rights”. Because information itself is not a physical thing, courts throughout the world have been laboring over the extent to which information should be treated like other material property. Schjolberg described a number of loopholes in current statutes, such as no clauses for the unauthorized appropriation of computer services. He strongly recommended that each country evaluate its penal codes to make sure that computer abuse is appropriately covered. Jew Pierre Chumoux and his wife, both with Droit et Informatique in France, presented the results of a study conducted last year that examined the vulnerability of computers in Europe. The survey involved respondents in France, the UK, Italy, Belgium, Switzerland, and the Federal Republic of Germany. Users interviewed felt that the greatest risks involved accidental events such as fire, water, electrical, and human carelessness problems. Of particular concern was the proliferation of microcomputers. The recent rapid increases in the number of these computer systems has dispersed risks to users who are not adequately prepared to fight against computer security problems. To address this lack, Chamoux recommended that firms concentrate their efforts on training people who work with microcomputers. Intentional acts involving computers, and the degree to which such acts are a real versus a perceived threat, were also discussed. Chamoux stated that, to address intentional acts, insurance is the most needed additional precaution. He said that more medium and small firms should be taking advantage of the new types of coverage that have recently been made avail-
141
able. This author takes exception to the perspective that insurance should be considered as just another control, in some sense substitutable for other controls. Insurance should be used for the residual risk that cannot be dealt with or is not economically dealt with by other controls. Ms. M. Guimezanes, a French lawyer and professor at Faculte de Droit, Paris, provided a thought-provoking presentation on the formation of legal contracts via electronic mail such as telex. She pointed out that, although they have not been legally recognized, in the past, contracts without hand-rendered signatures have been formed and observed. The threat of being excluded from the business community (i.e. being black-listed) kept people honest and caused them to honor contracts so entered into. At least according to French law, contracts are provable with any method not explicitly excluded by the civil code. Telex numbers and other electronic methods for rendering a signature are not excluded. Guimezanes proposed a modification of telex numbers, involving unique digital signatures, as a legally binding method for the formation of provable (binding) contracts. She discussed the legal idea of an original document as interpreted in a computerized environment; the original document would of course serve as the authoritative reference for settling disputes. With telex, several “documents” (representations) rather than one original document could exist; furthermore, determining that a machine generated document is an original rather than an altered copy poses additional problems. Also covered was the fact that new questions about the time of the formation of a contract will arise when electronic mail methods like telex are used. More specifically, when a contract was made face-to-face, there was no question as to when the contract was formed; when electronic mail is used, the delay associated with the store-and-forward transmission media leads one to question whether the contract was formed at the time it was sent, or at the time that it was received. Guimezanes concluded by defining the legal characteristics that digital signatures need to possess. These included: unique identification of the parties providing such digital signatures, and an indication that the rendering of a digital signature was the will of the participating party (e.g. it was provided without duress).
Ken Wong. Manager of Computer Security Consulting at BIS Applied Systems (in the UK), has over the last few years compiled an impressive collection of computer abuse cases. He presented some tabulations of these cases and drew some conclusions based on the tabulations. His work is available as a series of reports; due to space limitations, only a small portion of his material can be presented here. Overall, Wong found that UK computer abuse cases involved losses of the following types (frequencies are shown in parentheses): arson and bombing (19%). covert sabotage such as computer operators intentionally making “ mistakes” (19%) theft of information and related media (15%). system penetration (10%) logic bombs - i.e. computer programs set to execute when a particular set of internal computer conditions prevail ~ (8%) overt damage (8%). and theft of equipment (21%). In his presentation, Wong focused on disaster cases that caused significant losses. Of these, fully 48% involved fire and/or explosion. The largest losses involved arson some 50% of the time; the greatest damage was sustained when the victim firm did not have automatic fire detection and suppression equipment. Arson and bombing incidents typically took place at night, most often on Saturday or Sunday and when systems were unattended. Of the cases involving fire, and not necessarily resulting in disasterous results, Wong named five causes: arson (32%), electrical problems such as overheating (26%) air-conditioning malfunction - often due to inadequate maintenance - (ll%), poor housekeeping (8%) and other factors out of the systems management’s control (4%). Wong also related that computer abuse incidents were twice as likely to be caused by males as females; he speculated that this was a function of the greater number of males employed in data processing, rather than the possibility that the women were smarter (less often caught) or in some way less inclined to engage in such activities. His studies indicated that when managers were perpetrators, the losses were much greater than when lower level employees were the perpetrators; apparently, said Wong, because managers are greedier.
Wong described how computer abuses were typically discovered in the UK. His case analyses indicate that 14% were discovered by auditors. 6% by control procedures, 8% by management, 7% by colleagues, 4% by complaining customers, 8% by tip-offs or by the police. and 17% by chance inquiries or accidents. The remaining 35% of his cases did not have a specified method for discovering the abusive acts. The poor showing by auditors and control procedures indicates that much remains to be done in the computer abuse detection area. A. Brignone of Protexarms in France delivered an intriguing paper on how one goes about detecting a wiretap. He discussed the places most likely to be the site of a wiretap, such as a building switching closet, as well as the methods that are likely to be used to accomplish a wiretap, such as the physical fastening of a connector to a wire or the interception of acoustical/electromagnetic emanations. Of particular note were the devices mentioned that enabled the line characteristics to be monitored; when the frequency spectrum or other characteristics change, such changes can be automatically detected. A change of the line characteristics could be an indication of a physical wiretap. The merits of using optical fibers for land telecommunications lines were presented; reportedly, this new technology makes physical wiretapping without detection nearly impossible, and also makes interception of line emanations extremely difficult. A number of other excellent presentations were given on diverse topics such as building a secure network node (W.J. Cue/ii with Eracom in Australia), office automation security procedures ( W.A.J. Bound with Computer Sciences Corporation in the UK), using the USA Data Encryption Standard (DES) to provide digital signatures (Curl Meyer with IBM in the USA), preparation of a disaster recovery plan (J.P. Michels with Honeywell Bull in Belgium), and of course, using data dictionaries to increase information security (Charles Wood with Bank of America in the USA). For further information, please contact: Securicom 84, SEDEP, 8 rue de la Michodibe, 75002 Paris, France.