- Email: [email protected]
Selling IS to the employees
Computer
Fraud & Security Bulletin
Februarv
basis must also be provided. In this respect the development of trusted database innovations should be incorporated Internet domains.
throughout
the
US
Information security concerns must not only be limited to guarding against passive and active collection of data from US computer systems. The US Internet domains must also be protected against the more dangerous variety of computer security threats. Network worms, program viruses and other forms of malicious code could spread rapidly throughout the US economic, educational November significant future as operation. be allowed
and research infrastructure. The 1988 Internet worm incident was a precursor to what may come in the a result of a foreign government A computer ‘Pearl Harbour’ must not to occur.
INFORMATION SECURITY AWARENESS Selling
IS to the employees Thomas R. Peltier General Motors
The employees are the most important asset of this or any company. Just as we have taken steps to protect the employee’s safety in the workplace, we must now work with our employees to find effective means to protect our second most important asset information. Through our combined efforts, we can ensure that information is protected from unauthorized access, disclosure, modification and/or destruction. Without proper protection of all company assets, we could suffer loss of customer confidence, market share, competitive advantage and, ultimately, jobs. Working together, we can prevent the negatives and strive to reach our full potential in a most cost effective manner. Before we can expect the employees to embrace an information security programme, we
10
1992
must first make them aware of their responsibilities. To do that, we must understand why scurity fails.
Uncontrolled or Inadequately Controlled Access An employee in a Midwestern facility was passed over for a promotion and decided to access the Human Resources Management system to see who was better qualified than he was for that job. He accessed the data that lists employees by job classification level (4-5-6-7-8) and then ranks the employees in each category from top to bottom based on previous appraisals. He felt this information was interesting and printed it out and made copies. He posted the copies in the cafeteria, by coffee machines and on bulletin boards throughout the building. It caused a great deal on consternation among the employees who came up to the coffee machines and then found how they were ranked in the company. The breech of security occurred because the personnel director had never changed his password to the HRM system. Each director or manager is responsible for protecting the information that is resident in their department. The information can be in a mainframe computer, personal computer, file cabinets, on desks or waste baskets. It is the responsibility of the manager to ensure that the information is properly protected. For example, the personnel director is responsible for ensuring that employee information is protected from unauthorizedaccessordisclosure. If confidential information about an employee is disclosed, the personnel director can be held civilly liable for not properly protecting the information assets. If an engineer is developing a new product and fails to properly protect the information and test results are modified or altered and the company ends up creating a faulty product, the engineer can be held civilly liable for not protecting the information. A Canadian firm was showing its new computer-aided design package at an architects’ convention. The package was an ‘expert system’ for designing building facades. The owner was
01992
Elsevier Science
Publishers
Ltd
Computer Fraud & Security Bulletin
February 1992
at one station and his son was at a second. After finishing a demonstration, the son turned his back on the computer for a few seconds to ask his father a few questions. When he returned to the computer, the program disk was gone. This incident was made worse in that the disk that was stolen contained the source code. The company estimated the market value of the software package at between $5 and IO million and represented 12 years of research and development.
Vague or Inadequately Responsibilities
Defined
A Wayne State University graduate student had her doctoral thesis on her IBM XT PC hard drive that she kept in her apartment. She had a breaking and entering incident at her apartment and among the items stolen was her PC. She had failed to create any backups, so now she is attempting to recreate the thesis using the printouts left from her ransacked apartment. A PC that was left on at lunchtime in an engineering facility had its hard drive reformatted. An investigationdetermined thatthe reformatting was probably an accident. It was also determined that the PC that was reformatted two days later was probably done in retaliation for the first one. Because accidents can happen, encourage your employees to secure their work area whenever they leave, especially when they leave for an extended period of time.
A corporation in Georgia had what I would consider a rather lax backup and storage policy for diskettes. They had 40 diskettes containing ‘valuable’ information and IO more containing ‘crucially important’ data stolen. Those IO diskettes were so critical to them that it caused two things to happen: 1.
They couldn’t put a monetary value on the diskettes, if they didn’t get them back they were out of business; and
2.
They went to the local newspaper and put out a ransom offering ad. They would pay to get diskettes backno questions asked.
01992
Elsevier Science
Publishers
Ltd
The ad never ran. The police got the diskettes. It seems that a custodian came through the office area cleaning, and found diskettes laying out. He stated that he thought that “no one leaves out important diskettes right?” He took the diskettes home and was reformatting them so that his kids could play games on their new home computer. A San Francisco firm had all of its accounts receivable diskettes disappear one weekend; they never were found. It took weeks to reconstruct the data using hard copy. Additionally, cash flow became a problem because the company had difficulty collecting bills. A drafting supervisor was sent to a class to learn how to use a PC database package. Being the good man that he was, when he returned to work he wanted to use what he had learned before he lost the information. He sat down and created a database. It consisted of the employee’s name, social security number, home address, home phone number, last appraisal rating, current salary structure, etc. He did not want to leave the database on the hard drive because he knew that other people had access to the PC. He did not want to leave a diskette in his desk because other people had access to his desk. So, he decided to hide the diskette. He hid it under the desk and attached it with magnets. As you know, diskettes and magnets do not mix; all of the data was scrambled on the diskette. He wanted to ensure that no one accessed his information; he succeeded. No one has gotten to that data to date, including him. Store diskettes properly. Magnets and diskettes are not compatible. Placing diskettes next to telephones, electric pencil sharpeners, electric staplers or anything with an electric motor can casue the loss of data. Placing a diskette box on top of the heating system (register, radiator, etc.) can damage the diskette. Writing on a diskette with a ball point pen or pencil can damage it.
11
Computer fraud
& Security Bulletin
February 1992
Those of you living in New York City, San Francisco, Boston or Washington DC, be advised that you shouldn’t set your briefcase on the floor of the subway trains. On some trains, there is a spot on the floor where the magentic fields from the system’s power supply are strong enough to erase data stored on diskettes. Inadequate Training of Personnel A financial department in the Midwest had 100 to 150 diskettes disappear one weekend. Some of the diskettes had two to three years worth of financial data - and there were no backups. It took that department 6 months to rebuild the database using hard copy. Many departments were using a mainframe package called ADRS (A Department Reporting System) to develop information to be used within the department. When support for ADRS was dropped and the departments were given a PC with Lotus l-2-3 to replace the existing programs, there was a breakdown in the communication of responsibilties. After a few months, the secretary came down to the operations department and asked to have her Lotus file restored. This was the place she had come when she had had problems with her ADRS files. When she was informed that it was now her responsibility to backup her own data, she became very upset. She had to reconstruct the data using hard copy because been told she was responsible
she had not
for backing up the
data. Not signing off when you’ve completed your activities
on the computer
your password
is a serious
Just as each employee access the computer
or lending
someone
breach of security.
is unique, systems
the userid to
and the data on
the systems is unique. Each userid has its own level of authority. If a password is lent out or employees do not sign off after completing their work, they are effectively giving a stranger a
responsibility. Do not lend out your password, and logoff when your work is complete. The Software Publishers Association (SPA) indicated in February 1990 that, during the previous 20 months, they had begun lawsuits against 30 offenders of the Federal Copyright law. It has been estimated by the US International Trade Commission that copyright infringements total $4.1 billion annually. While the goal of SPA is for companies to establish proactive programmes of compliance and employee education, there are still occasions when they need to take legal action. Some recent examples of companies having serious problems with the Federal Copyright law: -
Facts of File Inc, New York;
-
Market Street Mortgage, Tampa, Florida;
-
Data Mark/Academy Georgia;
-
National Benefits Fund, New York;
-
Hanoverfist Enterprises, Wayne, Michigan;
-
Fox, S.A., Barcelona, Spain;
-
Cresvale Far East Ltd, Hong Kong.
Insurance,
Atlanta,
Reproducing computer software without authorization violates the US Copyright Law. It is a Federal offence. The money paid for a software product represents a licence fee for the use of one copy. Civil damages for unauthorized software copying can be as much as $100 000 and criminal penalties include fines and imprisonment. When an unauthorized copy of a software product is used, it is not a ‘pirated’, ‘bogus’ or ‘bootlegged’ copy - it is stolen property and is to be treated as such. Companies can in no way, legally or ethically, condone the unauthorized copying of software in any manner for any reason.
signed blank cheque. Your userid is you. Whatever transpires under that userid is your
12
01992’ Elsevier Science Publishers Ltd
Computer Fraud & Security Bulletin
Februarv 1992
SPA and the Business Software Alliance (BSA), a division of SPA, are the principle trade group of the PC software industry representing over 625 members in North America and abroad. Through its Copyright Protection Fund, they have been instrumental in working to diminsh the problem of software piracy. When asked, they indicated that they find out about companies violating the copyright law in four ways: 1.
Honest employees call a vendor with a problem. The vendor requires the caller’s name, company and the serial number of the software product. If the vendor gets three or four calls with the same serial number, an investigation begins;
2.
Contractors or visitors in the office observe what is being done and then they call the vendor;
3.
Disgruntled employes calling the vendor; and
4.
Honest employees concerned about the way the company is doing business contact the anti-piracy hotline.
An increasing problem is being introduced into the computer community and that is the virus. Employees using home computers and modems or company equipment are contacting bulletin boards and getting copies of public domain software. The problem with this is that some of the programs contain a virus that infects the good data on the PCs. The following are some easy controls against a computer virus: 1.
Rely on software from established companies. Employees are to be discouraged from bringing public domain software into company facilities. At a minimum, all programs of this nature should be reviewed by the computer support staff.
2.
Keep untested programs on standalone disks with expendable information.
3.
Use the ‘write protect’ tabs on diskettes whenever possible.
01992 Elsevier Science Publishers Ltd
4.
Test programs on a disk that does not contain valuable information by running the program without the ‘write protect’ tab in place. Then compare the length of each of the programs. If they are different, the disk may be infected.
5.
If you are using a PC with a hard driie, disconnect it before running a potentially infected program.
6.
Turn your computer off for a few seconds after you’ve finished a job. The process of rebooting the machine may erase the virus.
On a lighter note, a Canadian secretary was using her word processor to write a letter to a friend. She was telling her friend that her live-in boyfriend had just moved out and that she was beginning to feel a little “lonely” and that she was looking for a new “stud”. She inadvertently included the text of this letter into the text of a bill currently pending before Parliament in Ottawa and transmitted it to all departments throughout the Canadiangovernment. She didn’t include her phone number, so she didn’t get the response she may have been looking for. Protect Employees From Unnecessary Temptatlon A financial analyst working for Washington, DC, city offices disagreed with his supervisors about where to invest the District’s millions of dollars in cash flow. The analyst had unrestricted access to the financial database and the password file. Tired of his superior’s interference in the investment process, the analyst changed the computer’s access code and then ‘forgot’ the new code. By doing so, he successfully blocked the District’s ability to access its own funds. Additionally, the analyst started a ‘guess the password contest’ in the local press by giving out daily clues. After a week, DC officials were able to break into their own computers with the help of some high school students who had guessed the new access code. The analyst was fired, and instead of facing charges himself, he agreed to testify before the Federal Grand Jury against his
13
Computer
February
Fraud & Security Bulletin
former supervisor about the awarding of city accounting subcontracts. A bored data entry operator who worked for an Oakland, CA, department store changed the delivery addresses so that thousands of dollars in merchandise was delivered to improper addresses.
The problem with this policy is that most employees are going to become accustomed to using the PC and want to use it to write letters or college papers in their own time. If your company has such a policy you will be causing two things to happen: 1.
The employees will not use the PC to its fullest capacity. They will use it only for the specific task assigned, and will not experiment to expand their knowledge of the software packages and by doing so giving the company a better employee; and
2.
Because they are so accustomed to using the PC, they may ‘steal’ system time, and once a person has violated company policy and seen how easy it is, there is a temptation to continue down this road.
Three clerk-typists for a large mid-western manufacturer were arrested for running an ‘office’ football pool on the company’s word processors. The ‘office’ pool, which took in $5000
a week,
was part of a larger gambling
operation
which was being run on the mainframe
computers
and was clearing $25 000 a week.
Inadequate Protection Against Disgruntled Employees The year 1988 saw the first ever conviction of a computer virus creator. Donald Burlson was convicted of infecting a former employer’s computer with a virus that deleted 168 000 sales
personal or financial gain;
2.
entertainment;
system via
3.
revenge;
An investigation discovered that the employee had copied company
4.
personal favour;
5.
the challenge of beating the system;
6.
vandalism; and
7.
accident.
accessing dial-up. former
who
had been
the company’s
proprietary
computer
has
been
a noted
level
managers
of dissatisfaction and
middle managers they would company,
was
decrease
in
loyalty among employees over the past
few years. Two recent surveys the
fired
software worth millions of dollars.
There company
have shown that has extended
supervisors.
One
survey
found that over one-third
be happier working
to of said
for some other
even if the new company didn’t offer a
salary increase. The typical computer crook is an employee who is a legitimate and non-technical user of the system. Often, it is the companies’ own policies that lead some employees down this path. Some companies publish policies that computers are to be used for‘company
14
The FBI has developed a list of why people commit computercrime. Some of the top reasons are: 1.
commission records. In a northern California software company, a former customer support
representative
7992
personal use only’.
The average crime with a handgun nets the criminal, according to the FBI, an average ot $19 000. The average computer-aided fraud nets the embezzler $450 000. While the criminal with the handgun faces over a 90% chance of being caught and convicted, the computer-aided criminal’s chances of being caught, tried, convicted and doing any jail time are less than 1%. More often than not, the computer criminal starts a computer security consulting business. One of the biggest reasons forthis high return on
0199i
Elsevier Science Publishers Ltd
Computer Fraud & Securiry Bulletin
February 1992
this problem internally.
that they are assisting in the violation of their fellow employee’s property, not to mention the loss of corporate information.
Keys, Combinations and Passwords Changed Infrequently
Poor Procedures for Control of Recelvlng and Storlng Equipment
investment is that many companies are unwilling to prosecute. Companies generally try to handle
In October 1978, acontractorforthe
Security
Pacific Bank learned how to use the FED-WIRE: the method used to transfer funds from one bank to another
bank.
He opened
a Swiss
bank
account and then waited outside the office of the vice president in charge of that activity. Once the VP left his office, he went inside and called the transfer
operator
pretending
to be the VP. He
requested that $10.2 million be transferred
to the
Swiss bank. The operator asked for the proper password for that transaction. The contract employee gave her what he thought was the current password. The operator said, “No sir, that’s
the old password
-
here
is the new
password”. With the transfer
complete,
the contractor
and withdrew the money and bought Russian diamonds. The KGB contacted
went to Europe
the CIA and told them of the purchase. With diamonds in hand, he headed back to the US,
landed in Buffalo, NY, and went to his mother’s house where the FBI met him. He was sentenced to eight years in prison.
He served three years
and was released on parole in 1982. He currently
owns his own computer systems business in the Washington,
D.C. area.
Recent audits and security reviews of off ices throughout the corporation has turned up an alarming problem. Employees are leaving their
desks unlocked. This of itself is a problem, but the employees are compounding the situation by leaving their desk, office, file and PC keys in the unlocked drawers. This breakdown in security procedures
allows for a new breed of thief: the
key collector.
This
person
collects
any keys
laying around and uses them in desks and offices that are locked. Many employees have nothing of value in theirdesks
feel that they and therefore
see no need to lock them. They fail to understand
01992
Elsevier Science Publishers
Ltd
Since 1985, the personal computer industry has seen a growth from 2.5 million in the autunm of that year to over 33 million units in use today. With that prolific growth has come an equal increase in the theft of desk top computer hardware and software. A 1985 survey of 184 of the Forbes 500 companies identified theft of hardware as a $3 million a year loss. The survey indicated that 63% of the individuals linked to these thefts were employees or suspected to be employees. In San Francisco, a family was arrested and charged in connection with the theft of 175 computers valued at nearly $1 million from Allstate Insurance company offices throughout California. The computers, which cost Allstate $6000 apiece, were being fenced for $13 000 apiece. Personal computers and related products such as modems have replaced electric typewriters as favoured loot among burglars stealing from schools, small businesses and large companies. Current estimates of financial losses suffered by business are generally considered to be between $3 and $5 billion annually with less than 5% of all corporate computer crime ever reported. Exposure of Sensitive Information Trash
in the
We have a new group of adventure seekers: they are Dumpster Divers. This group accesses the trash and is able to gain information about your organization, yoursystemorabout yoursetf. Remember a printout means money and possible access to your company’s systems and confidential information. Company phone books give potential interlopers employee names, department and phone numbers. Treat company
15
Computer
February
Fraud & Security Bulletin
telephone books as classified information and dispose of them properly. Two 16 year old youths in the Detroit area were arrested for credit card fraud. They went into the dumps around and department
local hotels, restaurants
stores and then ran up $10 000
each in purchases
carbon papers.
A California utility company usually threw out its old billing information and system access books. One high school kid got into the dumps and figured out how to bill things to the utility. He rented a warehouse then proceeded
at the utility’s expense
to fill it. He charged
and
$200 000
worth of supplies before he tired of the game and called the utility and told them what he had been doing. A Los Angeles electronics wholesaler gained access to California’s largest phone company’s computerized inventory system using information he had gained from their trash. He diverted
more than $1 million in supplies
to his
business, and in some cases sold the stolen equipment back to the phone company. He was eventually turned in by a disgruntled employee.
Inadequate or Nonexistent
Security Policies
Before a programme of employee awareness can begin, the company must first develop a formal position on information security. Published procedures are the first step in an overall
information
programme. employees
security
awareness
Without a published
and procedures,
no company
set of policies can expect
the
to abide by any set of standards.
We Are Our Own Worst Enemy To be certain, there are outsiders trying to access
our data. Some of these are hackers,
news media, competitors, However, the greatest improperly employees.
16
Pogo, ‘We have met the enemy, and he is us’. We bumble away far more computer dollars than we could ever steal. Our biggest problem is ‘00~s’. Employees who are not paying attention to what they are doing, or being given incomplete instructions, cause far more damage than any outsider can do.
(mostly computer equipment)
using the credit card numbers they found on the discarded
1992
trained Borrowing
curiosity seekers, etc. threat comes from and/or disgruntled from the philosopher
A design services supervisor submitted a series of three maintenance jobs (backup, delete, restore). He was attempting to create additional space on the disk packs for the development of more design records. The jobs ran out of sequence; they ran delete, backup, restore. The backup and restore jobs ran very fast. Because the jobs were run in this manner, 10 000 design records were deleted from the graphics system. The supervisor went down to the data processing department and requested that the system backup tapes be used and the design records restored to the system. In reviewing what needed to be done, it was determined that the design group had changed two disk packs from Test to Production without notifying the data processing department. Since only quarterly backups are done of test volumes, it was determined that data processing could restore immediately 7600 design records. However, the remaining 2400 would have to be restored using tapes that were now almost 90 days old. It cost that company over $1 million in overtime and lost production to restore the 2400 back level design records to current status. In a New York bank one Friday evening, a computeroperator entered an incorrect code into the computer and billions of dollars that were supposed to be forwarded to the Federal Reserve electronicallywere left in the bank. Over the weekend this error cost the bank between $10 and $15 million in lost interest. Resolving the Dilemma Obtaincorporatecommitment. Management has the ultimate responsibility to ensure that corporate information is properly protected from unauthorized access, modification, disclosure
01992’Elsevier
Science Publishers Ltd
Computer Fraud & Security Bulletin
February 1992
and/or destruction.
If there is a breakdown
in this
responsibility, the managers can be held liable and these damages may be collectable.from the managers
personally.
information,
When presented
most managers
support to an information
quickly
with this lend their
security programme.
Establish corporate policies. Publish the procedures, and wherever possible, do not make the document
confidential.
policies and procedures
That
is, allow the
to be read. Encourage
copies to be made and attempt to have as wide a distribution procedure
as possible.
manual
If possible,
placed in an online
Use any of the available text processing (i.e., TextDBMS,
etc.). This will
have the activity. products
provide
user
ready access to the policies and procedures
and
you will be certain that they are accessing
the
most current generation. Implement a security awareness programme. Before we can expect our employees to adhere to the company policies, they must first be made aware of these requirements. It is not sufficient to just write policies and procedures. The message must be taken actively to the employees and must be incorporated into the workplace as an everyday occurrence. This awareness programme cannot be a one-shot-deal; it must be an ongoing process. To use the computer virus as an analogy, there is no vaccine for information security. The process for employee information security is more akin to an allergy desensitization programme, the employees must be exposed to information security on a regular and continuous basis. Keep the message in front of the employees. Use whatever means is available to keep the information security message alive. Use whatever methods you can; posters; booklets, brochures, coasters, memos, reminder notices, movies, etc. Monitor and audit compliance and results. Adopt the internal control review programme and monitor the activities of each department. Although the audit staff will continue to perform
01992 Elsevier Science Publishers
Ltd
their regular review process, the individual departments should be required to review information security standards on a more frequent basis. A questionnaire that addresses the key issues should be developed, distributed and completed on at least an annual basis. If any of the questions receive a ‘no’ answer, then the department manager must submit a programme to correct the deficiency (not unlike the response to an audit comment). The questionnaires should also be reviewed by the audit staff when they do their formal audit of the department. Make security compliance an appraisal item. All employees should be reviewed on a regular basis as to their level of compliance to all company policies and procedures. Information security should be included in this annual appraisal process. As a condition of employment, most companies require the new employees to sign a condition of employment agreement. Generally, the conditions include an agreement to abide by the corporation’s policies and procedures. Since information security is a policy of the company, all employees should expect to be appraised on how they fulfil these requirements. Please note that the employees observe what management says and does. To have an effective security programme all employees, including management, must embrace the goals and philosophies. If management circumvents
security, the employees will follow suit. The continued growth of the corporation is dependent on the reliability and trustworthiness of the employees. A trustworthy employee will cooperate fully with a positive and effective corporate security programme. The employee is the cornerstone to protecting the company’s assets. It is necessary that every employee have a thorough understanding of the corporate security, policies and procedures. Adherence to these guidelines is everyone’s responsibility and as an employee, we are all personally responsible for all of our actions.
17
Fraud & Security Bulletin
Februarv
basis must also be provided. In this respect the development of trusted database innovations should be incorporated Internet domains.
throughout
the
US
Information security concerns must not only be limited to guarding against passive and active collection of data from US computer systems. The US Internet domains must also be protected against the more dangerous variety of computer security threats. Network worms, program viruses and other forms of malicious code could spread rapidly throughout the US economic, educational November significant future as operation. be allowed
and research infrastructure. The 1988 Internet worm incident was a precursor to what may come in the a result of a foreign government A computer ‘Pearl Harbour’ must not to occur.
INFORMATION SECURITY AWARENESS Selling
IS to the employees Thomas R. Peltier General Motors
The employees are the most important asset of this or any company. Just as we have taken steps to protect the employee’s safety in the workplace, we must now work with our employees to find effective means to protect our second most important asset information. Through our combined efforts, we can ensure that information is protected from unauthorized access, disclosure, modification and/or destruction. Without proper protection of all company assets, we could suffer loss of customer confidence, market share, competitive advantage and, ultimately, jobs. Working together, we can prevent the negatives and strive to reach our full potential in a most cost effective manner. Before we can expect the employees to embrace an information security programme, we
10
1992
must first make them aware of their responsibilities. To do that, we must understand why scurity fails.
Uncontrolled or Inadequately Controlled Access An employee in a Midwestern facility was passed over for a promotion and decided to access the Human Resources Management system to see who was better qualified than he was for that job. He accessed the data that lists employees by job classification level (4-5-6-7-8) and then ranks the employees in each category from top to bottom based on previous appraisals. He felt this information was interesting and printed it out and made copies. He posted the copies in the cafeteria, by coffee machines and on bulletin boards throughout the building. It caused a great deal on consternation among the employees who came up to the coffee machines and then found how they were ranked in the company. The breech of security occurred because the personnel director had never changed his password to the HRM system. Each director or manager is responsible for protecting the information that is resident in their department. The information can be in a mainframe computer, personal computer, file cabinets, on desks or waste baskets. It is the responsibility of the manager to ensure that the information is properly protected. For example, the personnel director is responsible for ensuring that employee information is protected from unauthorizedaccessordisclosure. If confidential information about an employee is disclosed, the personnel director can be held civilly liable for not properly protecting the information assets. If an engineer is developing a new product and fails to properly protect the information and test results are modified or altered and the company ends up creating a faulty product, the engineer can be held civilly liable for not protecting the information. A Canadian firm was showing its new computer-aided design package at an architects’ convention. The package was an ‘expert system’ for designing building facades. The owner was
01992
Elsevier Science
Publishers
Ltd
Computer Fraud & Security Bulletin
February 1992
at one station and his son was at a second. After finishing a demonstration, the son turned his back on the computer for a few seconds to ask his father a few questions. When he returned to the computer, the program disk was gone. This incident was made worse in that the disk that was stolen contained the source code. The company estimated the market value of the software package at between $5 and IO million and represented 12 years of research and development.
Vague or Inadequately Responsibilities
Defined
A Wayne State University graduate student had her doctoral thesis on her IBM XT PC hard drive that she kept in her apartment. She had a breaking and entering incident at her apartment and among the items stolen was her PC. She had failed to create any backups, so now she is attempting to recreate the thesis using the printouts left from her ransacked apartment. A PC that was left on at lunchtime in an engineering facility had its hard drive reformatted. An investigationdetermined thatthe reformatting was probably an accident. It was also determined that the PC that was reformatted two days later was probably done in retaliation for the first one. Because accidents can happen, encourage your employees to secure their work area whenever they leave, especially when they leave for an extended period of time.
A corporation in Georgia had what I would consider a rather lax backup and storage policy for diskettes. They had 40 diskettes containing ‘valuable’ information and IO more containing ‘crucially important’ data stolen. Those IO diskettes were so critical to them that it caused two things to happen: 1.
They couldn’t put a monetary value on the diskettes, if they didn’t get them back they were out of business; and
2.
They went to the local newspaper and put out a ransom offering ad. They would pay to get diskettes backno questions asked.
01992
Elsevier Science
Publishers
Ltd
The ad never ran. The police got the diskettes. It seems that a custodian came through the office area cleaning, and found diskettes laying out. He stated that he thought that “no one leaves out important diskettes right?” He took the diskettes home and was reformatting them so that his kids could play games on their new home computer. A San Francisco firm had all of its accounts receivable diskettes disappear one weekend; they never were found. It took weeks to reconstruct the data using hard copy. Additionally, cash flow became a problem because the company had difficulty collecting bills. A drafting supervisor was sent to a class to learn how to use a PC database package. Being the good man that he was, when he returned to work he wanted to use what he had learned before he lost the information. He sat down and created a database. It consisted of the employee’s name, social security number, home address, home phone number, last appraisal rating, current salary structure, etc. He did not want to leave the database on the hard drive because he knew that other people had access to the PC. He did not want to leave a diskette in his desk because other people had access to his desk. So, he decided to hide the diskette. He hid it under the desk and attached it with magnets. As you know, diskettes and magnets do not mix; all of the data was scrambled on the diskette. He wanted to ensure that no one accessed his information; he succeeded. No one has gotten to that data to date, including him. Store diskettes properly. Magnets and diskettes are not compatible. Placing diskettes next to telephones, electric pencil sharpeners, electric staplers or anything with an electric motor can casue the loss of data. Placing a diskette box on top of the heating system (register, radiator, etc.) can damage the diskette. Writing on a diskette with a ball point pen or pencil can damage it.
11
Computer fraud
& Security Bulletin
February 1992
Those of you living in New York City, San Francisco, Boston or Washington DC, be advised that you shouldn’t set your briefcase on the floor of the subway trains. On some trains, there is a spot on the floor where the magentic fields from the system’s power supply are strong enough to erase data stored on diskettes. Inadequate Training of Personnel A financial department in the Midwest had 100 to 150 diskettes disappear one weekend. Some of the diskettes had two to three years worth of financial data - and there were no backups. It took that department 6 months to rebuild the database using hard copy. Many departments were using a mainframe package called ADRS (A Department Reporting System) to develop information to be used within the department. When support for ADRS was dropped and the departments were given a PC with Lotus l-2-3 to replace the existing programs, there was a breakdown in the communication of responsibilties. After a few months, the secretary came down to the operations department and asked to have her Lotus file restored. This was the place she had come when she had had problems with her ADRS files. When she was informed that it was now her responsibility to backup her own data, she became very upset. She had to reconstruct the data using hard copy because been told she was responsible
she had not
for backing up the
data. Not signing off when you’ve completed your activities
on the computer
your password
is a serious
Just as each employee access the computer
or lending
someone
breach of security.
is unique, systems
the userid to
and the data on
the systems is unique. Each userid has its own level of authority. If a password is lent out or employees do not sign off after completing their work, they are effectively giving a stranger a
responsibility. Do not lend out your password, and logoff when your work is complete. The Software Publishers Association (SPA) indicated in February 1990 that, during the previous 20 months, they had begun lawsuits against 30 offenders of the Federal Copyright law. It has been estimated by the US International Trade Commission that copyright infringements total $4.1 billion annually. While the goal of SPA is for companies to establish proactive programmes of compliance and employee education, there are still occasions when they need to take legal action. Some recent examples of companies having serious problems with the Federal Copyright law: -
Facts of File Inc, New York;
-
Market Street Mortgage, Tampa, Florida;
-
Data Mark/Academy Georgia;
-
National Benefits Fund, New York;
-
Hanoverfist Enterprises, Wayne, Michigan;
-
Fox, S.A., Barcelona, Spain;
-
Cresvale Far East Ltd, Hong Kong.
Insurance,
Atlanta,
Reproducing computer software without authorization violates the US Copyright Law. It is a Federal offence. The money paid for a software product represents a licence fee for the use of one copy. Civil damages for unauthorized software copying can be as much as $100 000 and criminal penalties include fines and imprisonment. When an unauthorized copy of a software product is used, it is not a ‘pirated’, ‘bogus’ or ‘bootlegged’ copy - it is stolen property and is to be treated as such. Companies can in no way, legally or ethically, condone the unauthorized copying of software in any manner for any reason.
signed blank cheque. Your userid is you. Whatever transpires under that userid is your
12
01992’ Elsevier Science Publishers Ltd
Computer Fraud & Security Bulletin
Februarv 1992
SPA and the Business Software Alliance (BSA), a division of SPA, are the principle trade group of the PC software industry representing over 625 members in North America and abroad. Through its Copyright Protection Fund, they have been instrumental in working to diminsh the problem of software piracy. When asked, they indicated that they find out about companies violating the copyright law in four ways: 1.
Honest employees call a vendor with a problem. The vendor requires the caller’s name, company and the serial number of the software product. If the vendor gets three or four calls with the same serial number, an investigation begins;
2.
Contractors or visitors in the office observe what is being done and then they call the vendor;
3.
Disgruntled employes calling the vendor; and
4.
Honest employees concerned about the way the company is doing business contact the anti-piracy hotline.
An increasing problem is being introduced into the computer community and that is the virus. Employees using home computers and modems or company equipment are contacting bulletin boards and getting copies of public domain software. The problem with this is that some of the programs contain a virus that infects the good data on the PCs. The following are some easy controls against a computer virus: 1.
Rely on software from established companies. Employees are to be discouraged from bringing public domain software into company facilities. At a minimum, all programs of this nature should be reviewed by the computer support staff.
2.
Keep untested programs on standalone disks with expendable information.
3.
Use the ‘write protect’ tabs on diskettes whenever possible.
01992 Elsevier Science Publishers Ltd
4.
Test programs on a disk that does not contain valuable information by running the program without the ‘write protect’ tab in place. Then compare the length of each of the programs. If they are different, the disk may be infected.
5.
If you are using a PC with a hard driie, disconnect it before running a potentially infected program.
6.
Turn your computer off for a few seconds after you’ve finished a job. The process of rebooting the machine may erase the virus.
On a lighter note, a Canadian secretary was using her word processor to write a letter to a friend. She was telling her friend that her live-in boyfriend had just moved out and that she was beginning to feel a little “lonely” and that she was looking for a new “stud”. She inadvertently included the text of this letter into the text of a bill currently pending before Parliament in Ottawa and transmitted it to all departments throughout the Canadiangovernment. She didn’t include her phone number, so she didn’t get the response she may have been looking for. Protect Employees From Unnecessary Temptatlon A financial analyst working for Washington, DC, city offices disagreed with his supervisors about where to invest the District’s millions of dollars in cash flow. The analyst had unrestricted access to the financial database and the password file. Tired of his superior’s interference in the investment process, the analyst changed the computer’s access code and then ‘forgot’ the new code. By doing so, he successfully blocked the District’s ability to access its own funds. Additionally, the analyst started a ‘guess the password contest’ in the local press by giving out daily clues. After a week, DC officials were able to break into their own computers with the help of some high school students who had guessed the new access code. The analyst was fired, and instead of facing charges himself, he agreed to testify before the Federal Grand Jury against his
13
Computer
February
Fraud & Security Bulletin
former supervisor about the awarding of city accounting subcontracts. A bored data entry operator who worked for an Oakland, CA, department store changed the delivery addresses so that thousands of dollars in merchandise was delivered to improper addresses.
The problem with this policy is that most employees are going to become accustomed to using the PC and want to use it to write letters or college papers in their own time. If your company has such a policy you will be causing two things to happen: 1.
The employees will not use the PC to its fullest capacity. They will use it only for the specific task assigned, and will not experiment to expand their knowledge of the software packages and by doing so giving the company a better employee; and
2.
Because they are so accustomed to using the PC, they may ‘steal’ system time, and once a person has violated company policy and seen how easy it is, there is a temptation to continue down this road.
Three clerk-typists for a large mid-western manufacturer were arrested for running an ‘office’ football pool on the company’s word processors. The ‘office’ pool, which took in $5000
a week,
was part of a larger gambling
operation
which was being run on the mainframe
computers
and was clearing $25 000 a week.
Inadequate Protection Against Disgruntled Employees The year 1988 saw the first ever conviction of a computer virus creator. Donald Burlson was convicted of infecting a former employer’s computer with a virus that deleted 168 000 sales
personal or financial gain;
2.
entertainment;
system via
3.
revenge;
An investigation discovered that the employee had copied company
4.
personal favour;
5.
the challenge of beating the system;
6.
vandalism; and
7.
accident.
accessing dial-up. former
who
had been
the company’s
proprietary
computer
has
been
a noted
level
managers
of dissatisfaction and
middle managers they would company,
was
decrease
in
loyalty among employees over the past
few years. Two recent surveys the
fired
software worth millions of dollars.
There company
have shown that has extended
supervisors.
One
survey
found that over one-third
be happier working
to of said
for some other
even if the new company didn’t offer a
salary increase. The typical computer crook is an employee who is a legitimate and non-technical user of the system. Often, it is the companies’ own policies that lead some employees down this path. Some companies publish policies that computers are to be used for‘company
14
The FBI has developed a list of why people commit computercrime. Some of the top reasons are: 1.
commission records. In a northern California software company, a former customer support
representative
7992
personal use only’.
The average crime with a handgun nets the criminal, according to the FBI, an average ot $19 000. The average computer-aided fraud nets the embezzler $450 000. While the criminal with the handgun faces over a 90% chance of being caught and convicted, the computer-aided criminal’s chances of being caught, tried, convicted and doing any jail time are less than 1%. More often than not, the computer criminal starts a computer security consulting business. One of the biggest reasons forthis high return on
0199i
Elsevier Science Publishers Ltd
Computer Fraud & Securiry Bulletin
February 1992
this problem internally.
that they are assisting in the violation of their fellow employee’s property, not to mention the loss of corporate information.
Keys, Combinations and Passwords Changed Infrequently
Poor Procedures for Control of Recelvlng and Storlng Equipment
investment is that many companies are unwilling to prosecute. Companies generally try to handle
In October 1978, acontractorforthe
Security
Pacific Bank learned how to use the FED-WIRE: the method used to transfer funds from one bank to another
bank.
He opened
a Swiss
bank
account and then waited outside the office of the vice president in charge of that activity. Once the VP left his office, he went inside and called the transfer
operator
pretending
to be the VP. He
requested that $10.2 million be transferred
to the
Swiss bank. The operator asked for the proper password for that transaction. The contract employee gave her what he thought was the current password. The operator said, “No sir, that’s
the old password
-
here
is the new
password”. With the transfer
complete,
the contractor
and withdrew the money and bought Russian diamonds. The KGB contacted
went to Europe
the CIA and told them of the purchase. With diamonds in hand, he headed back to the US,
landed in Buffalo, NY, and went to his mother’s house where the FBI met him. He was sentenced to eight years in prison.
He served three years
and was released on parole in 1982. He currently
owns his own computer systems business in the Washington,
D.C. area.
Recent audits and security reviews of off ices throughout the corporation has turned up an alarming problem. Employees are leaving their
desks unlocked. This of itself is a problem, but the employees are compounding the situation by leaving their desk, office, file and PC keys in the unlocked drawers. This breakdown in security procedures
allows for a new breed of thief: the
key collector.
This
person
collects
any keys
laying around and uses them in desks and offices that are locked. Many employees have nothing of value in theirdesks
feel that they and therefore
see no need to lock them. They fail to understand
01992
Elsevier Science Publishers
Ltd
Since 1985, the personal computer industry has seen a growth from 2.5 million in the autunm of that year to over 33 million units in use today. With that prolific growth has come an equal increase in the theft of desk top computer hardware and software. A 1985 survey of 184 of the Forbes 500 companies identified theft of hardware as a $3 million a year loss. The survey indicated that 63% of the individuals linked to these thefts were employees or suspected to be employees. In San Francisco, a family was arrested and charged in connection with the theft of 175 computers valued at nearly $1 million from Allstate Insurance company offices throughout California. The computers, which cost Allstate $6000 apiece, were being fenced for $13 000 apiece. Personal computers and related products such as modems have replaced electric typewriters as favoured loot among burglars stealing from schools, small businesses and large companies. Current estimates of financial losses suffered by business are generally considered to be between $3 and $5 billion annually with less than 5% of all corporate computer crime ever reported. Exposure of Sensitive Information Trash
in the
We have a new group of adventure seekers: they are Dumpster Divers. This group accesses the trash and is able to gain information about your organization, yoursystemorabout yoursetf. Remember a printout means money and possible access to your company’s systems and confidential information. Company phone books give potential interlopers employee names, department and phone numbers. Treat company
15
Computer
February
Fraud & Security Bulletin
telephone books as classified information and dispose of them properly. Two 16 year old youths in the Detroit area were arrested for credit card fraud. They went into the dumps around and department
local hotels, restaurants
stores and then ran up $10 000
each in purchases
carbon papers.
A California utility company usually threw out its old billing information and system access books. One high school kid got into the dumps and figured out how to bill things to the utility. He rented a warehouse then proceeded
at the utility’s expense
to fill it. He charged
and
$200 000
worth of supplies before he tired of the game and called the utility and told them what he had been doing. A Los Angeles electronics wholesaler gained access to California’s largest phone company’s computerized inventory system using information he had gained from their trash. He diverted
more than $1 million in supplies
to his
business, and in some cases sold the stolen equipment back to the phone company. He was eventually turned in by a disgruntled employee.
Inadequate or Nonexistent
Security Policies
Before a programme of employee awareness can begin, the company must first develop a formal position on information security. Published procedures are the first step in an overall
information
programme. employees
security
awareness
Without a published
and procedures,
no company
set of policies can expect
the
to abide by any set of standards.
We Are Our Own Worst Enemy To be certain, there are outsiders trying to access
our data. Some of these are hackers,
news media, competitors, However, the greatest improperly employees.
16
Pogo, ‘We have met the enemy, and he is us’. We bumble away far more computer dollars than we could ever steal. Our biggest problem is ‘00~s’. Employees who are not paying attention to what they are doing, or being given incomplete instructions, cause far more damage than any outsider can do.
(mostly computer equipment)
using the credit card numbers they found on the discarded
1992
trained Borrowing
curiosity seekers, etc. threat comes from and/or disgruntled from the philosopher
A design services supervisor submitted a series of three maintenance jobs (backup, delete, restore). He was attempting to create additional space on the disk packs for the development of more design records. The jobs ran out of sequence; they ran delete, backup, restore. The backup and restore jobs ran very fast. Because the jobs were run in this manner, 10 000 design records were deleted from the graphics system. The supervisor went down to the data processing department and requested that the system backup tapes be used and the design records restored to the system. In reviewing what needed to be done, it was determined that the design group had changed two disk packs from Test to Production without notifying the data processing department. Since only quarterly backups are done of test volumes, it was determined that data processing could restore immediately 7600 design records. However, the remaining 2400 would have to be restored using tapes that were now almost 90 days old. It cost that company over $1 million in overtime and lost production to restore the 2400 back level design records to current status. In a New York bank one Friday evening, a computeroperator entered an incorrect code into the computer and billions of dollars that were supposed to be forwarded to the Federal Reserve electronicallywere left in the bank. Over the weekend this error cost the bank between $10 and $15 million in lost interest. Resolving the Dilemma Obtaincorporatecommitment. Management has the ultimate responsibility to ensure that corporate information is properly protected from unauthorized access, modification, disclosure
01992’Elsevier
Science Publishers Ltd
Computer Fraud & Security Bulletin
February 1992
and/or destruction.
If there is a breakdown
in this
responsibility, the managers can be held liable and these damages may be collectable.from the managers
personally.
information,
When presented
most managers
support to an information
quickly
with this lend their
security programme.
Establish corporate policies. Publish the procedures, and wherever possible, do not make the document
confidential.
policies and procedures
That
is, allow the
to be read. Encourage
copies to be made and attempt to have as wide a distribution procedure
as possible.
manual
If possible,
placed in an online
Use any of the available text processing (i.e., TextDBMS,
etc.). This will
have the activity. products
provide
user
ready access to the policies and procedures
and
you will be certain that they are accessing
the
most current generation. Implement a security awareness programme. Before we can expect our employees to adhere to the company policies, they must first be made aware of these requirements. It is not sufficient to just write policies and procedures. The message must be taken actively to the employees and must be incorporated into the workplace as an everyday occurrence. This awareness programme cannot be a one-shot-deal; it must be an ongoing process. To use the computer virus as an analogy, there is no vaccine for information security. The process for employee information security is more akin to an allergy desensitization programme, the employees must be exposed to information security on a regular and continuous basis. Keep the message in front of the employees. Use whatever means is available to keep the information security message alive. Use whatever methods you can; posters; booklets, brochures, coasters, memos, reminder notices, movies, etc. Monitor and audit compliance and results. Adopt the internal control review programme and monitor the activities of each department. Although the audit staff will continue to perform
01992 Elsevier Science Publishers
Ltd
their regular review process, the individual departments should be required to review information security standards on a more frequent basis. A questionnaire that addresses the key issues should be developed, distributed and completed on at least an annual basis. If any of the questions receive a ‘no’ answer, then the department manager must submit a programme to correct the deficiency (not unlike the response to an audit comment). The questionnaires should also be reviewed by the audit staff when they do their formal audit of the department. Make security compliance an appraisal item. All employees should be reviewed on a regular basis as to their level of compliance to all company policies and procedures. Information security should be included in this annual appraisal process. As a condition of employment, most companies require the new employees to sign a condition of employment agreement. Generally, the conditions include an agreement to abide by the corporation’s policies and procedures. Since information security is a policy of the company, all employees should expect to be appraised on how they fulfil these requirements. Please note that the employees observe what management says and does. To have an effective security programme all employees, including management, must embrace the goals and philosophies. If management circumvents
security, the employees will follow suit. The continued growth of the corporation is dependent on the reliability and trustworthiness of the employees. A trustworthy employee will cooperate fully with a positive and effective corporate security programme. The employee is the cornerstone to protecting the company’s assets. It is necessary that every employee have a thorough understanding of the corporate security, policies and procedures. Adherence to these guidelines is everyone’s responsibility and as an employee, we are all personally responsible for all of our actions.
17