- Email: [email protected]
Software auditing: More than a chore
FEATURE
Software Auditing: More Than a Chore
encourage, allow, compel or pressure employees to make or distribute unauthorized software copies •
to infringe the laws against unauthorized software copying because someone requests or compels it
•
to loan software so that a copy can be made or to copy software while it is on loan to make, import, possess or deal with articles intended to facilitate the removal of any technical means applied to protect the software program
C.L. Larsen oftware auditing is more than simply a security measure for companies to ensure that they are operating within the law. Auditing is also a good way for them to reduce costs.
S
Software auditing is like safe sex: most people know that it is important, but many fail to actually do it. Research conducted for Microsoft in 1994 showed that less than a quarter of companies had software audit procedures in place. Since then, that figure has risen to over 50%. Regardless, it is still worrying to think that almost half of all companies still do little or nothing about the illegal use of software. Software theft, or piracy, is the use of software without the necessary licenses having been purchased. Theft is easy. A user in a company has installed some software that another user thinks would be of use. So he or she borrows the master disks and installs the software on the PC. That copy of the software is then illegal and both the user and the organization can be prosecuted. Every acquisition and use of software is governed by c o p y r i g h t law and the l i c e n s e a g r e e m e n t accompanying the software. It is a breach of the agreement and illegal: to copy or distribute software or its accompanying documentation, including programs, applications, data, codes and manuals, without permission or a licence from the copyright holder to run a copyrighted software program on two or more computers simultaneously unless specifically allowed by the licence agreement •
for organizations to consciously or unconsciously
Computer Fraud & Security June 1998 © 1998 ElsevierScience Ltd
Serious business Even those companies that claim to have an auditing process in place may not be performing it properly. Very few companies treat the process seriously. The most commonly copied software packages are word processors, spreadsheets and presentation tools. Microsoft found that most companies were aware of the problems of illegal software. However, there are a number of reasons for avoiding an audit: •
cost
•
lack of time and other business priorities
•
lack of tools and services available to carry it out
There are a growing number of auditing tools available, such as Dr Solomon's Audit, and network management and administration tools from companies such as Nortel, Intel and IBM. Microsoft's SMS server also includes auditing facilities. Many of these tools can automatically scan a workstation hard disk, and l o o k for s o f t w a r e i d e n t i f i c a t i o n m a r k e r s like CONFIG.SYS files. However, the auditing process can only be automated to a certain extent. There is another reason for the increased uptake of software auditing: aggressive anti-piracy measures by organizations such as the global Business Software Alliance (BSA) and the UK-based Federation Against Software Theft (FAST). The B S A u s e s a m i x t u r e of e d u c a t i o n and enforcement to encourage businesses to use software legally. It also carries out unannounced audits, and
13
FEATURE companies found to be using software illegally can be fined - - and receive all the unwelcome publicity that comes with it. The BSA acknowledges the massive problem of so-called 'office copying', whereby an employee copies a program from a colleagues PC rather than going through the often lengthy procedure of obtaining a legitimate copy from the IT manager. A large percentage of infringements are due to poor management rather than wilful piracy. The vast majority of corporate software breaches are the result of recklessness and carelessness, rather than the t e m p t a t i o n o f c o m m e r c i a l gain. But even well intentioned 'soft-lifting' is illegal. The benefits But companies should not simply regard software auditing as simply a process for staying within the law. In fact, the process of auditing software, carried out properly, can bring genuine benefits to companies. Auditing is all too often simply sold on FUD (fear, uncertainty and doubt). It must be stressed that audits can actually save companies money and allow them to use their resources more efficiently. The illegal use of software is a management issue. Many companies now have hundreds of PCs, but many have never had a management process in place. Often companies do not know how many PCs they have, where they are, who is using them, and what they are used for. It is not uncommon for IT managers to be unable to say what software sits on their companies' PCs. Most IT departments are composed of a lot of groups. No single person has overall control of the network, and no individual has responsibility for what goes on it, including software. The move from the mainframe to a client/server model has many advantages. But it also makes it much h a r d e r to k e e p t r a c k of w h a t is h a p p e n i n g on employees' workstations. Throw in variables like multiple sites, notebook PCs moving in and out of the organization and e m p l o y e e s ' ability to download software from the Internet, and you begin to see the daunting task facing the auditor. The lack of proper IT management means that all kinds of licensing risks are possible. For example,
14
employees can install software brought in from home and thus breach the licensing agreement. The problem is made worse when software distribution is via a server. It is all too easy to pull software off of the company network and fail to record that fact. If there is a limit on the number of authorized users for a certain package, this can easily be breached by poor m a n a g e m e n t procedures. A sure-fire recipe for disaster is giving employees easy access to server-distributed software without obligation to inform the person responsible for software licensing, assuming that someone in the organization has been assigned responsibility. One c o m m o n scenario is where staff w a n d e r around the site fixing problems. Some of this may involve installing new software. If service staff are having a busy day, it may be easy for them to forget to make a record of installation. Adding software auditing is all too often not perceived as an important strategic issue. Either it is delegated or simply put-off for another day. Auditing is often driven by a technical issue - - there is a vims about, or people are worried about the Year 2000 problem. Software schemes which give companies a master copy of the software and get administrators to record the number of people who use it are like supermarkets without the check-out. Even with the best intentions, people forget what they are using. A 'silent c o n s p i r a c y ' , f o r g e d b e t w e e n some software resellers and purchasing companies, plays a role in the illegal software use. People using these schemes are often not quite sure how many copies of a software package they have installed, so they come up with a figure that makes everyone happy - - including the reseller whose job it is to administer the scheme. This works fine while revenue goes up. But a point comes where it starts to go down. Last year Microsoft began auditing customers of resellers accredited under its select scheme. Put simply, this was an admission by the software giant that it was concerned with how some companies were using its software licenses. More than a chore Companies do not devote nearly enough time to licensing a g r e e m e n t s . Few c o m p a n i e s c a r e f u l l y
Computer Fraud & Security June 1998 © 1998 ElsevierScience Ltd
FEATURE examine them. A recent survey produced by UK PC software auditing firm fPrint shows that only one in 20 of its customers even asked to look at the licensing agreement before buying software. Often no one in the company has a clue about what the license permits them to do. For many companies, software licensing is regarded as like buying motor insurance. They don't bother to read the conditions. They just pay up, and drive away. Software licensing is probably the only area where a junior employee can sign a legally-binding contract with an external company. It is not unusual for a company to discover that not only has an employee bought a dozen pieces of software, but also a dozen sets of support fees because they are a part of the licensing agreement. A u d i t i n g is o f t e n r e g a r d e d as an e x p e n s i v e inconvenience. But that is a serious mistake that can cost a company dearly over time. Auditing gives the company the power to plan for the future and to make better use of resources. Auditing offers many business benefits. These include: •
eliminating costly duplication of software
•
making user support more cost-effective
•
getting more accurate data about hardware and software costs
•
achieving accurate IT budgeting
•
improving accountability
But, like everything in life, there is a right and a wrong approach. A company should first define its auditing objectives: what does it hope to achieve by carrying out an audit? Next, the c o m p a n y should set the rules and boundaries of the audit. This means determining the kinds of questions that should be asked of users, what software will be scanned, and over what period of time. Then it is a case of carrying out the scanning, putting the data into an audit package, analyzing the results, and finally, but most importantly, acting on them.
Computer Fraud & Security June 1998 © 1998 Elsevier Science Ltd
It c o m e s as no surprise that m o r e and more companies are using third party auditing firms to do the job for them. However, a thorough auditing job can be expensive both in terms of time and money. For instance, a large company with, say, 5000 PCs could find that an audit costs upwards of $120 000 for the software. The company could also face upwards of $50 000 for support tools - - if the company has workstations on numerous sites, it will require a program that pulls all the data into a single database. P l u s , c o n s u l t a n c y f e e s c o u l d c o s t as m u c h as $150 000. The audit can very often take as long as six months to complete. The latest auditing tools can do a lot of the work automatically. Their job is to sniff around hard drives and generate a list of installed software. Unfortunately, no tool is infallible: some audit software cannot identify different versions or releases; others only work on the PC platform or are unable to recognize bespoke applications. Auditing via the network is fine, provided that all the company's machines are on the network. There is often the standalone PC lurking behind a locked door. There is also the difficulty created by gateways and server security systems. Naturally, there is the human problem to contend with. Users are often resentful of the intrusion caused by auditing, and may fail to answer questionnaires - or even reply with false answers. Software auditing can be costly, but it can save the company money. Many companies find that they have more software than they need. Quite often, companies can end up throwing way old PCs and the software on them, and then b u y i n g n e w P C s with the same software installed. It is reasons like these which make those in the s o f t w a r e auditing b u s i n e s s o p t i m i s t i c a b o u t the future. The argument is that as more c o m p a n i e s realize that auditing can keep them not only within the law, but also s a v e t h e m m o n e y , m o r e o r g a n i z a t i o n s will c o m e to see a u d i t i n g as an important part of business development as opposed to a necessary chore.
15
Software Auditing: More Than a Chore
encourage, allow, compel or pressure employees to make or distribute unauthorized software copies •
to infringe the laws against unauthorized software copying because someone requests or compels it
•
to loan software so that a copy can be made or to copy software while it is on loan to make, import, possess or deal with articles intended to facilitate the removal of any technical means applied to protect the software program
C.L. Larsen oftware auditing is more than simply a security measure for companies to ensure that they are operating within the law. Auditing is also a good way for them to reduce costs.
S
Software auditing is like safe sex: most people know that it is important, but many fail to actually do it. Research conducted for Microsoft in 1994 showed that less than a quarter of companies had software audit procedures in place. Since then, that figure has risen to over 50%. Regardless, it is still worrying to think that almost half of all companies still do little or nothing about the illegal use of software. Software theft, or piracy, is the use of software without the necessary licenses having been purchased. Theft is easy. A user in a company has installed some software that another user thinks would be of use. So he or she borrows the master disks and installs the software on the PC. That copy of the software is then illegal and both the user and the organization can be prosecuted. Every acquisition and use of software is governed by c o p y r i g h t law and the l i c e n s e a g r e e m e n t accompanying the software. It is a breach of the agreement and illegal: to copy or distribute software or its accompanying documentation, including programs, applications, data, codes and manuals, without permission or a licence from the copyright holder to run a copyrighted software program on two or more computers simultaneously unless specifically allowed by the licence agreement •
for organizations to consciously or unconsciously
Computer Fraud & Security June 1998 © 1998 ElsevierScience Ltd
Serious business Even those companies that claim to have an auditing process in place may not be performing it properly. Very few companies treat the process seriously. The most commonly copied software packages are word processors, spreadsheets and presentation tools. Microsoft found that most companies were aware of the problems of illegal software. However, there are a number of reasons for avoiding an audit: •
cost
•
lack of time and other business priorities
•
lack of tools and services available to carry it out
There are a growing number of auditing tools available, such as Dr Solomon's Audit, and network management and administration tools from companies such as Nortel, Intel and IBM. Microsoft's SMS server also includes auditing facilities. Many of these tools can automatically scan a workstation hard disk, and l o o k for s o f t w a r e i d e n t i f i c a t i o n m a r k e r s like CONFIG.SYS files. However, the auditing process can only be automated to a certain extent. There is another reason for the increased uptake of software auditing: aggressive anti-piracy measures by organizations such as the global Business Software Alliance (BSA) and the UK-based Federation Against Software Theft (FAST). The B S A u s e s a m i x t u r e of e d u c a t i o n and enforcement to encourage businesses to use software legally. It also carries out unannounced audits, and
13
FEATURE companies found to be using software illegally can be fined - - and receive all the unwelcome publicity that comes with it. The BSA acknowledges the massive problem of so-called 'office copying', whereby an employee copies a program from a colleagues PC rather than going through the often lengthy procedure of obtaining a legitimate copy from the IT manager. A large percentage of infringements are due to poor management rather than wilful piracy. The vast majority of corporate software breaches are the result of recklessness and carelessness, rather than the t e m p t a t i o n o f c o m m e r c i a l gain. But even well intentioned 'soft-lifting' is illegal. The benefits But companies should not simply regard software auditing as simply a process for staying within the law. In fact, the process of auditing software, carried out properly, can bring genuine benefits to companies. Auditing is all too often simply sold on FUD (fear, uncertainty and doubt). It must be stressed that audits can actually save companies money and allow them to use their resources more efficiently. The illegal use of software is a management issue. Many companies now have hundreds of PCs, but many have never had a management process in place. Often companies do not know how many PCs they have, where they are, who is using them, and what they are used for. It is not uncommon for IT managers to be unable to say what software sits on their companies' PCs. Most IT departments are composed of a lot of groups. No single person has overall control of the network, and no individual has responsibility for what goes on it, including software. The move from the mainframe to a client/server model has many advantages. But it also makes it much h a r d e r to k e e p t r a c k of w h a t is h a p p e n i n g on employees' workstations. Throw in variables like multiple sites, notebook PCs moving in and out of the organization and e m p l o y e e s ' ability to download software from the Internet, and you begin to see the daunting task facing the auditor. The lack of proper IT management means that all kinds of licensing risks are possible. For example,
14
employees can install software brought in from home and thus breach the licensing agreement. The problem is made worse when software distribution is via a server. It is all too easy to pull software off of the company network and fail to record that fact. If there is a limit on the number of authorized users for a certain package, this can easily be breached by poor m a n a g e m e n t procedures. A sure-fire recipe for disaster is giving employees easy access to server-distributed software without obligation to inform the person responsible for software licensing, assuming that someone in the organization has been assigned responsibility. One c o m m o n scenario is where staff w a n d e r around the site fixing problems. Some of this may involve installing new software. If service staff are having a busy day, it may be easy for them to forget to make a record of installation. Adding software auditing is all too often not perceived as an important strategic issue. Either it is delegated or simply put-off for another day. Auditing is often driven by a technical issue - - there is a vims about, or people are worried about the Year 2000 problem. Software schemes which give companies a master copy of the software and get administrators to record the number of people who use it are like supermarkets without the check-out. Even with the best intentions, people forget what they are using. A 'silent c o n s p i r a c y ' , f o r g e d b e t w e e n some software resellers and purchasing companies, plays a role in the illegal software use. People using these schemes are often not quite sure how many copies of a software package they have installed, so they come up with a figure that makes everyone happy - - including the reseller whose job it is to administer the scheme. This works fine while revenue goes up. But a point comes where it starts to go down. Last year Microsoft began auditing customers of resellers accredited under its select scheme. Put simply, this was an admission by the software giant that it was concerned with how some companies were using its software licenses. More than a chore Companies do not devote nearly enough time to licensing a g r e e m e n t s . Few c o m p a n i e s c a r e f u l l y
Computer Fraud & Security June 1998 © 1998 ElsevierScience Ltd
FEATURE examine them. A recent survey produced by UK PC software auditing firm fPrint shows that only one in 20 of its customers even asked to look at the licensing agreement before buying software. Often no one in the company has a clue about what the license permits them to do. For many companies, software licensing is regarded as like buying motor insurance. They don't bother to read the conditions. They just pay up, and drive away. Software licensing is probably the only area where a junior employee can sign a legally-binding contract with an external company. It is not unusual for a company to discover that not only has an employee bought a dozen pieces of software, but also a dozen sets of support fees because they are a part of the licensing agreement. A u d i t i n g is o f t e n r e g a r d e d as an e x p e n s i v e inconvenience. But that is a serious mistake that can cost a company dearly over time. Auditing gives the company the power to plan for the future and to make better use of resources. Auditing offers many business benefits. These include: •
eliminating costly duplication of software
•
making user support more cost-effective
•
getting more accurate data about hardware and software costs
•
achieving accurate IT budgeting
•
improving accountability
But, like everything in life, there is a right and a wrong approach. A company should first define its auditing objectives: what does it hope to achieve by carrying out an audit? Next, the c o m p a n y should set the rules and boundaries of the audit. This means determining the kinds of questions that should be asked of users, what software will be scanned, and over what period of time. Then it is a case of carrying out the scanning, putting the data into an audit package, analyzing the results, and finally, but most importantly, acting on them.
Computer Fraud & Security June 1998 © 1998 Elsevier Science Ltd
It c o m e s as no surprise that m o r e and more companies are using third party auditing firms to do the job for them. However, a thorough auditing job can be expensive both in terms of time and money. For instance, a large company with, say, 5000 PCs could find that an audit costs upwards of $120 000 for the software. The company could also face upwards of $50 000 for support tools - - if the company has workstations on numerous sites, it will require a program that pulls all the data into a single database. P l u s , c o n s u l t a n c y f e e s c o u l d c o s t as m u c h as $150 000. The audit can very often take as long as six months to complete. The latest auditing tools can do a lot of the work automatically. Their job is to sniff around hard drives and generate a list of installed software. Unfortunately, no tool is infallible: some audit software cannot identify different versions or releases; others only work on the PC platform or are unable to recognize bespoke applications. Auditing via the network is fine, provided that all the company's machines are on the network. There is often the standalone PC lurking behind a locked door. There is also the difficulty created by gateways and server security systems. Naturally, there is the human problem to contend with. Users are often resentful of the intrusion caused by auditing, and may fail to answer questionnaires - or even reply with false answers. Software auditing can be costly, but it can save the company money. Many companies find that they have more software than they need. Quite often, companies can end up throwing way old PCs and the software on them, and then b u y i n g n e w P C s with the same software installed. It is reasons like these which make those in the s o f t w a r e auditing b u s i n e s s o p t i m i s t i c a b o u t the future. The argument is that as more c o m p a n i e s realize that auditing can keep them not only within the law, but also s a v e t h e m m o n e y , m o r e o r g a n i z a t i o n s will c o m e to see a u d i t i n g as an important part of business development as opposed to a necessary chore.
15