- Email: [email protected]
The management of change
Computer Fraud & Security Bulletin
May 1991
underpinning them, KBS could virtually eliminate the fraudulent use of credit cards. Bibliography Hickman, F., Killin, J., Land, L., Mulhall, T., Porter, D. and Taylor, R., Analysis for know/edge-based systems: A practical introduction to the KADS methodology, Ellis Horwood, Chichester, 1989. Taylor, Ft. (ed), Porter, D., Hickman, F., Streng, K-H., Tansley, S. and Dorbes, G., System evolution - principles and methods, Deliverable G9, ESPRIT Project 1098, The Knowledge-Based Systems Centre of Touche Ross Management Consultants, 1989. and Taylor, R., A Porter, D. know/edge-based system for identifying credit card fraud, in research and development in expert systems VII: Proceedings of the tenth annual technical conference of the BCS SGES. Cambridge University Press, 1990.
IT SECURITY IN THE 1990s THE MANAGEMENT
OF CHANGE Dr Ken Wong PA Consulting,
UK
Many businesses will be going through some challenging times ahead. With the current economic recession seeing no signs of abatement, margins are squeezed. IT is being channelled to effect cost containment and improve business efficiency. Any spending on security is likely to be curtailed. New technology is being harnessed to provide an enabling vehicle to improve customer service, and move into unchartered waters to explore new business opportunities. New applications such as EDI, image processing and lap top computers also bring new risks to the organization. Some of the risks could directly impact the bottom line.
12
Electronic
data interchange
A major shift in corporate IT emphasis is the increasing move to share a common network with outside organizations. They may be the company’s suppliers, customers, business associates or even competitors. Electronic Data Interchange (EDI) among business partners is now accepted as a means to bring the services and products closer to customers. For instance, by sharing data and networking with the motor manufacturer, a car dealer can make last minute changes to a vehicle’s specifications, to accommodate a customer’s up-to-date requirements. By sharing a network with suppliers and customers, a manufacturer could benefit from the introduction of Just In Time techniques in the manufacturing process, to cut down on raw material stocks and only produce to order. However, the advantage obtained from speeding up the data interchange between business partners via paperless means could well be eroded through inadequate controls to maintain the integrity of such data interchange. If there is poor audit trail and poor error detection and recovery in the system, temporary failings in the hardware, software, power supply or operations staff could result in data drop out, duplication of data transfer, or data errors. Relationships between business partners could be seriously strained if loss liabilities resulting from data discrepancies are not satisfactorily resolved. Suppose the EDI system becomes disrupted. The failure could directly affect the company’s manufacturing capability. This is because the process is based on online capture of product demands to produce the goods required by timely stock replenishment from online links with suppliers. Suppose the EDI business data was misrouted to another trading partner or customer, say through a glitch in the hardware or software, or from human failings. Any commercial in-confidence business arrangements could be threatened with unintentional exposure to interested parties. This could lead to acute embarrassment if profit
01991
Elsevier Science Publishers Ltd
Computer Fraud & Security Bulletin
May 1991
margins
become known to competitors,
or loss
of profits if discretionary discount arrangements
become public knowledge among customers. Document
image processing
This is an area which is causing some excitement in the financial services and food and drinks sectors. Once a paper document is captured in the system, the electronic document is then simultaneously accessible to a number of distributed office locations. This helps to cut overheads and improve office communications. On the other hand, a serious disruption on the corporate network could render these documents inaccessible for a period. The result could cause major hiccups to business adminstration. Contingency plans need to be in place to handle such eventualities. The proprietary nature of some of the electronic office documents, such as insurance claims or legal contracts, pose an attractive target to industrial spies. Any document containing personal data also needs to be safeguarded to comply with the Data Protection Act. There is an underlying requirement for the security classification of various types of proprietary electronic documents. The company will need to prepare and issue an information security policy, to explain to management and staff the need for safe custody, and secure distribution and access of sensitive documents. Otherwise the introduction of an illegal insecure image processing system could well provide a new source of illegal access to company secrets. Laptop computers We were all appalled by press reports of the unfortunate RAF officer who had a laptop computer, containing top secret Gulf Forces deployment information stolen from his car boot. Good security on the mainframe computer or in offices will not help to reduce this risk. As the same time many companies are now issuing laptop computers to their travelling salesmen and mobile executives, to enable them to do their work while away from company premises. They can dial into the company’s
01991
Elsevier Science Publishers Ltd
mainframe computer, to access the latest sales figures, product availability, or work in progress results, or to submit their working reports or sales results to the office. Some of the computer hard disks will contain highly proprietary information such as sales performance, or business negotiations. The software on the laptop may have been written at great cost to support the salesman in his selling process. For instance it could prompt the salesman to ask pertinent questions to steer the potential customer through his company’s product ranges, and to offer various forms of competitive pricing based on volume and product availability. Loss of the laptop and the information contained to an unscrupulous competitor could cost the company dearly in the drastic erosion of its competitive advantage. Open system interconnection Currently the only operating software available to support a common applications environment, to facilitate software portability between computers from different vendors in an open systems environment, is the AT&T Unix family and compatibles, especially Unix System V. And yet traditional Unix was developed for use in the academic and research environment, where flexibility and easy sharing of files, data, devices, and volumes take precedence over security. Unix is thought to have in excess of 10 million active users. It is available on many hardware platforms, including mainframe, mid-range and PC, although minor variations exist among the versions offered by various vendors. Increasingly third party applications and devices are available to address the special niche requirements of certain Unix users. It also provides integrated software development tools to facilitate application and program development. Unix offers certain rudimentary security features to the user and the system administrator, such as user ID number, password on screen and ageing, overwriting of residual memory data, read or write-only access, non-display of password on screen, and
13
May 1991
Computer Fraud & Security Bulletin
encrypting of the password file. However there are also a number of well-known serious flaws and omissions in the range of security features provided. Specifically, read and write access tend to be granted at a group level. It would not be possible for a member of the group to have only read access if all others in the group have read and write access to a file. In many of the Unix implementations, the superuser (i.e. system manager) capability is granted by default. This allows users to access anyone’s accounts, system program utilities, and other system resources whenever the appropriate login routine to grant superuser status is executed. Whenever a user creates a file or directory, the default value setting will generally allow access to these. To overcome this serious shortcoming, the user would have to make a conscientious effort to change the ‘unmask command setting from the default value to secure file or directory access. Also, auditing facilities are generally lacking in Unix to facilitate the logging of access violations. Fax and telex Both computerized
fax and telex systems
are susceptible to sabotage. These systems generally do not have good security features provided. And yet their everyday use is now almost taken for granted in some establishments. Some time ago, a large American corporation found to its horror that someone had abused its computerized facsimile system, called Omnifax, in an attempt to discredit the company. The computer system provides facilities for a user to send a fax message on a future date. The user has to enter the details on the system for the fax number, and names of sender and receiver, the date of the message to be transmitted, and the message itself. The
company
was in the final
stages
of
reviewing tenders from a pre-selected small number of suppliers for a major contract involving millions of dollars. One of the suppliers who had
14
not been invited to machine a message competitors tender, the corporation for contract.
tender received on its fax containing the details of a and began to complain to being excluded from the
The security function reviewed the computer system and found there were no provisions to control illegal access or abuse. Any fax user could set up a future fax transmission from any of the fax terminals. He could enter any user name and a false identity of the fax terminal for sending the message, to pretend the fax message was sent from another terminal. A check of the list of personnel who had access to the tender document soon revealed that one of them was an attorney of the company, who had resigned a week earlier in somewhat acrimonious circumstances. They deduced that he was probably the culprit responsible. There was no evidence of the wrongdoing as the system did not keep a log of past events. Incorporate
security
in new systems
Traditionally many systems developers have chosen to get a new system working first, and then decide on what security and control features to implement. In actual fact, it would save time and minimize reworking if they were able to specify the security features in the system’s specification before commencement of system design. This could be based on the results of a business threat analysis, to ascertain the extent of business needs from the system and to cost-justify various security and resilience provisions to assure information confidentiality, data integrity and service availability. In my view, the IT security function should adopt a more proactive approach to support future system development activities. For instance it could advocate the adoption of certain proven control techniques as corporate standards, or distil and promote good control practices in use in the various system design teams. This will help to reduce unnecessary duplication of effort to develop controls and security procedures.
01991
Elsevier Science Publishers
Ltd
May 1991
Managing
Computer Fraud & Security Bulletin
IT security
With many new IT developments going on in an organization, there is a growing need for security responsibilities to be devolved to local managers. IT security administration should be distributed within the company so that the IT security manager can act as coordinator to liaise with line functions to manage the various IT security aspects in the company, ranging from mainframe to laptops, end user computing and office automation.
BOOK REVIEW Title: Computer Integrity Editor: Klaus Juhani Saari
Security
Dittrich,
and
Seppo
Information
Rautakivi
and
ISBN : CJ444 88859 4 Publisher:
North-Holland,
Amsterdam,
The
Netherlands In some cases IT developments should also extend beyond corporate boundaries. Many organizations are connected to other companies as a matter of routine, in the sharing of some of their systems, data or networking facilities. Such applications as EDI, EFTPOS, or cash management, involve people from different companies, some of whom may be overseas, in the sharing of IT capabilities. The previous narrow view of only looking after one’s own company’s interests may not go down well with those you invite to use or share your IT facilities or services, with a view to derive mutual benefits. You will be expected to protect their data and business interests as well. The IT security responsibilities have now expanded from an intra-company perspective to one of looking after the interests of a closed business community. This presupposes that the various security functions across companies will have to work together. They need to coordinate efforts in such areas as risk monitoring, to facilitate the investigation of faults and security breaches, and to agree respective loss liabilities arising from errors and omissions or security lapses. The closed business community will have to adopt a common code of good security practice. A consistent security policy together with an appropriate framework for implementing control and security provisions should be produced and made available to all parties concerned. This will help to promote a common understanding of the security provisions on network nodes, lines and network management facilities.
01991
Elsevier Science Publishers Ltd
Price: Dfl205.00 There are one set of reasons for attending a conference and quite another for wanting to buy the published proceedings. At conferences, the informal social contacts made can often overcome the shortcomings of the papers. For the occasional visitor to these meetings, the conference format can provide a relatively painless way of bringing one’s knowledge up to date and perhaps deciding which of the speakers is most suitable to invite to provide consultancy. But the printed proceedings may be relatively useless-too many theoretical papers by academics on the one hand, and too many familiar generalizations by practitioners on the other. These Helsinki proceedings are a welcome exception. Among the academic contributions Stewart Kowalski’s Swedish-based study of computer ethics and computer abuse provides much-needed research on the motives of the classic hacker figure and points the way to ethical, rather than legal or repressive methods of abuse reduction. John Dobson describes interesting work being carried out at the Universities of Newcastle and York to define what is really meant by ‘security’ in the context of a computer system and Kurt Bauknecht and Christine Strauss discuss methods and procedures to overcome the ad-hoc setting of security levels which support and help people involved in decision-making to establish security policies. Also worth reading is Sead Muftic’s paper on security in Open Distribution
15
May 1991
underpinning them, KBS could virtually eliminate the fraudulent use of credit cards. Bibliography Hickman, F., Killin, J., Land, L., Mulhall, T., Porter, D. and Taylor, R., Analysis for know/edge-based systems: A practical introduction to the KADS methodology, Ellis Horwood, Chichester, 1989. Taylor, Ft. (ed), Porter, D., Hickman, F., Streng, K-H., Tansley, S. and Dorbes, G., System evolution - principles and methods, Deliverable G9, ESPRIT Project 1098, The Knowledge-Based Systems Centre of Touche Ross Management Consultants, 1989. and Taylor, R., A Porter, D. know/edge-based system for identifying credit card fraud, in research and development in expert systems VII: Proceedings of the tenth annual technical conference of the BCS SGES. Cambridge University Press, 1990.
IT SECURITY IN THE 1990s THE MANAGEMENT
OF CHANGE Dr Ken Wong PA Consulting,
UK
Many businesses will be going through some challenging times ahead. With the current economic recession seeing no signs of abatement, margins are squeezed. IT is being channelled to effect cost containment and improve business efficiency. Any spending on security is likely to be curtailed. New technology is being harnessed to provide an enabling vehicle to improve customer service, and move into unchartered waters to explore new business opportunities. New applications such as EDI, image processing and lap top computers also bring new risks to the organization. Some of the risks could directly impact the bottom line.
12
Electronic
data interchange
A major shift in corporate IT emphasis is the increasing move to share a common network with outside organizations. They may be the company’s suppliers, customers, business associates or even competitors. Electronic Data Interchange (EDI) among business partners is now accepted as a means to bring the services and products closer to customers. For instance, by sharing data and networking with the motor manufacturer, a car dealer can make last minute changes to a vehicle’s specifications, to accommodate a customer’s up-to-date requirements. By sharing a network with suppliers and customers, a manufacturer could benefit from the introduction of Just In Time techniques in the manufacturing process, to cut down on raw material stocks and only produce to order. However, the advantage obtained from speeding up the data interchange between business partners via paperless means could well be eroded through inadequate controls to maintain the integrity of such data interchange. If there is poor audit trail and poor error detection and recovery in the system, temporary failings in the hardware, software, power supply or operations staff could result in data drop out, duplication of data transfer, or data errors. Relationships between business partners could be seriously strained if loss liabilities resulting from data discrepancies are not satisfactorily resolved. Suppose the EDI system becomes disrupted. The failure could directly affect the company’s manufacturing capability. This is because the process is based on online capture of product demands to produce the goods required by timely stock replenishment from online links with suppliers. Suppose the EDI business data was misrouted to another trading partner or customer, say through a glitch in the hardware or software, or from human failings. Any commercial in-confidence business arrangements could be threatened with unintentional exposure to interested parties. This could lead to acute embarrassment if profit
01991
Elsevier Science Publishers Ltd
Computer Fraud & Security Bulletin
May 1991
margins
become known to competitors,
or loss
of profits if discretionary discount arrangements
become public knowledge among customers. Document
image processing
This is an area which is causing some excitement in the financial services and food and drinks sectors. Once a paper document is captured in the system, the electronic document is then simultaneously accessible to a number of distributed office locations. This helps to cut overheads and improve office communications. On the other hand, a serious disruption on the corporate network could render these documents inaccessible for a period. The result could cause major hiccups to business adminstration. Contingency plans need to be in place to handle such eventualities. The proprietary nature of some of the electronic office documents, such as insurance claims or legal contracts, pose an attractive target to industrial spies. Any document containing personal data also needs to be safeguarded to comply with the Data Protection Act. There is an underlying requirement for the security classification of various types of proprietary electronic documents. The company will need to prepare and issue an information security policy, to explain to management and staff the need for safe custody, and secure distribution and access of sensitive documents. Otherwise the introduction of an illegal insecure image processing system could well provide a new source of illegal access to company secrets. Laptop computers We were all appalled by press reports of the unfortunate RAF officer who had a laptop computer, containing top secret Gulf Forces deployment information stolen from his car boot. Good security on the mainframe computer or in offices will not help to reduce this risk. As the same time many companies are now issuing laptop computers to their travelling salesmen and mobile executives, to enable them to do their work while away from company premises. They can dial into the company’s
01991
Elsevier Science Publishers Ltd
mainframe computer, to access the latest sales figures, product availability, or work in progress results, or to submit their working reports or sales results to the office. Some of the computer hard disks will contain highly proprietary information such as sales performance, or business negotiations. The software on the laptop may have been written at great cost to support the salesman in his selling process. For instance it could prompt the salesman to ask pertinent questions to steer the potential customer through his company’s product ranges, and to offer various forms of competitive pricing based on volume and product availability. Loss of the laptop and the information contained to an unscrupulous competitor could cost the company dearly in the drastic erosion of its competitive advantage. Open system interconnection Currently the only operating software available to support a common applications environment, to facilitate software portability between computers from different vendors in an open systems environment, is the AT&T Unix family and compatibles, especially Unix System V. And yet traditional Unix was developed for use in the academic and research environment, where flexibility and easy sharing of files, data, devices, and volumes take precedence over security. Unix is thought to have in excess of 10 million active users. It is available on many hardware platforms, including mainframe, mid-range and PC, although minor variations exist among the versions offered by various vendors. Increasingly third party applications and devices are available to address the special niche requirements of certain Unix users. It also provides integrated software development tools to facilitate application and program development. Unix offers certain rudimentary security features to the user and the system administrator, such as user ID number, password on screen and ageing, overwriting of residual memory data, read or write-only access, non-display of password on screen, and
13
May 1991
Computer Fraud & Security Bulletin
encrypting of the password file. However there are also a number of well-known serious flaws and omissions in the range of security features provided. Specifically, read and write access tend to be granted at a group level. It would not be possible for a member of the group to have only read access if all others in the group have read and write access to a file. In many of the Unix implementations, the superuser (i.e. system manager) capability is granted by default. This allows users to access anyone’s accounts, system program utilities, and other system resources whenever the appropriate login routine to grant superuser status is executed. Whenever a user creates a file or directory, the default value setting will generally allow access to these. To overcome this serious shortcoming, the user would have to make a conscientious effort to change the ‘unmask command setting from the default value to secure file or directory access. Also, auditing facilities are generally lacking in Unix to facilitate the logging of access violations. Fax and telex Both computerized
fax and telex systems
are susceptible to sabotage. These systems generally do not have good security features provided. And yet their everyday use is now almost taken for granted in some establishments. Some time ago, a large American corporation found to its horror that someone had abused its computerized facsimile system, called Omnifax, in an attempt to discredit the company. The computer system provides facilities for a user to send a fax message on a future date. The user has to enter the details on the system for the fax number, and names of sender and receiver, the date of the message to be transmitted, and the message itself. The
company
was in the final
stages
of
reviewing tenders from a pre-selected small number of suppliers for a major contract involving millions of dollars. One of the suppliers who had
14
not been invited to machine a message competitors tender, the corporation for contract.
tender received on its fax containing the details of a and began to complain to being excluded from the
The security function reviewed the computer system and found there were no provisions to control illegal access or abuse. Any fax user could set up a future fax transmission from any of the fax terminals. He could enter any user name and a false identity of the fax terminal for sending the message, to pretend the fax message was sent from another terminal. A check of the list of personnel who had access to the tender document soon revealed that one of them was an attorney of the company, who had resigned a week earlier in somewhat acrimonious circumstances. They deduced that he was probably the culprit responsible. There was no evidence of the wrongdoing as the system did not keep a log of past events. Incorporate
security
in new systems
Traditionally many systems developers have chosen to get a new system working first, and then decide on what security and control features to implement. In actual fact, it would save time and minimize reworking if they were able to specify the security features in the system’s specification before commencement of system design. This could be based on the results of a business threat analysis, to ascertain the extent of business needs from the system and to cost-justify various security and resilience provisions to assure information confidentiality, data integrity and service availability. In my view, the IT security function should adopt a more proactive approach to support future system development activities. For instance it could advocate the adoption of certain proven control techniques as corporate standards, or distil and promote good control practices in use in the various system design teams. This will help to reduce unnecessary duplication of effort to develop controls and security procedures.
01991
Elsevier Science Publishers
Ltd
May 1991
Managing
Computer Fraud & Security Bulletin
IT security
With many new IT developments going on in an organization, there is a growing need for security responsibilities to be devolved to local managers. IT security administration should be distributed within the company so that the IT security manager can act as coordinator to liaise with line functions to manage the various IT security aspects in the company, ranging from mainframe to laptops, end user computing and office automation.
BOOK REVIEW Title: Computer Integrity Editor: Klaus Juhani Saari
Security
Dittrich,
and
Seppo
Information
Rautakivi
and
ISBN : CJ444 88859 4 Publisher:
North-Holland,
Amsterdam,
The
Netherlands In some cases IT developments should also extend beyond corporate boundaries. Many organizations are connected to other companies as a matter of routine, in the sharing of some of their systems, data or networking facilities. Such applications as EDI, EFTPOS, or cash management, involve people from different companies, some of whom may be overseas, in the sharing of IT capabilities. The previous narrow view of only looking after one’s own company’s interests may not go down well with those you invite to use or share your IT facilities or services, with a view to derive mutual benefits. You will be expected to protect their data and business interests as well. The IT security responsibilities have now expanded from an intra-company perspective to one of looking after the interests of a closed business community. This presupposes that the various security functions across companies will have to work together. They need to coordinate efforts in such areas as risk monitoring, to facilitate the investigation of faults and security breaches, and to agree respective loss liabilities arising from errors and omissions or security lapses. The closed business community will have to adopt a common code of good security practice. A consistent security policy together with an appropriate framework for implementing control and security provisions should be produced and made available to all parties concerned. This will help to promote a common understanding of the security provisions on network nodes, lines and network management facilities.
01991
Elsevier Science Publishers Ltd
Price: Dfl205.00 There are one set of reasons for attending a conference and quite another for wanting to buy the published proceedings. At conferences, the informal social contacts made can often overcome the shortcomings of the papers. For the occasional visitor to these meetings, the conference format can provide a relatively painless way of bringing one’s knowledge up to date and perhaps deciding which of the speakers is most suitable to invite to provide consultancy. But the printed proceedings may be relatively useless-too many theoretical papers by academics on the one hand, and too many familiar generalizations by practitioners on the other. These Helsinki proceedings are a welcome exception. Among the academic contributions Stewart Kowalski’s Swedish-based study of computer ethics and computer abuse provides much-needed research on the motives of the classic hacker figure and points the way to ethical, rather than legal or repressive methods of abuse reduction. John Dobson describes interesting work being carried out at the Universities of Newcastle and York to define what is really meant by ‘security’ in the context of a computer system and Kurt Bauknecht and Christine Strauss discuss methods and procedures to overcome the ad-hoc setting of security levels which support and help people involved in decision-making to establish security policies. Also worth reading is Sead Muftic’s paper on security in Open Distribution
15