227 lines
10 KiB
Plaintext
227 lines
10 KiB
Plaintext
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%% N.I.A. %%
|
|
%% Network Information Access %%
|
|
%% 02MAR90 %%
|
|
%% Lord Kalkin %%
|
|
%% File #3 %%
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
|
|
:_Computer Crimes/Fraud/Waste part 1
|
|
:_Written/Typed/Edited By: Lord Kalkin
|
|
|
|
|
|
1. COMPUTERS: CRIMES, CLUES, AND CONTROLS
|
|
|
|
Introduction
|
|
|
|
The Information Age has brought aboout dramatic improvements in
|
|
way the Federal goverment does its job. For making descisions,
|
|
more and better information is available more quickly to more
|
|
people than ever before. Statistics computations that once took
|
|
weeks, now takes minutes. And analyses that once required numerous
|
|
programmers, a computer operator, and a large computer facility may
|
|
now need only a nontechnical staff using software packages on
|
|
desktop computers in their office.
|
|
|
|
The General Service Administration estimates that Federal
|
|
agencies will acquire half a million small computers by 1990. In
|
|
FY 1984, federal expenditures for micro and desktop computers
|
|
totaled $137 million. The comparable figure for FY 1983 was $34
|
|
million. And these statistics do not include computer terminals
|
|
that are part of large computer systems or word processors--many of
|
|
which can be used to store and manipulate data, as well as create
|
|
graphics. The Office of Management and Budget(OMB) estimates that
|
|
#13.9 billion was spent in FY 1985 to acquire, operate, and
|
|
maintain Federal information technology systems.
|
|
|
|
New management problems have accompanied the increase use
|
|
of computers and automated technology. Terminals, often connected
|
|
to computers that are networked together, can access vast
|
|
quantities and different types of data. There are publicy voiced
|
|
concerns about privacy of information and the risks associated with
|
|
automating and making more accessable personal, proprietary, or
|
|
other sensitive data. These are serious concerns about increased
|
|
computer crimes, waste, and abuse which result in such costly
|
|
problems as improper payments from govermant benifit programs and
|
|
unnecessary equipment purchases. And there is the clear
|
|
recongition that information is a resource to be protected.
|
|
|
|
The responsibility for protecting information resides with
|
|
the end user manager. This responsibility is acknowledged in OMB
|
|
circular A-130, MANAGEMENT OF FEDERAL INFORMATION RESOURCES:
|
|
|
|
"Agencies shall make the official whose program an
|
|
information system supports responisble and accountable for the
|
|
products of that system..."
|
|
|
|
"Because end user computing places management of
|
|
information in the hands of the individual agency personnel rather
|
|
than in a central automatic data processing organization, the
|
|
Circular requires that the agencies train end users in their
|
|
responsibilities for the safeguarding information"
|
|
|
|
This document is designed to provide information security
|
|
awareness training for the end user manager. Security awareness
|
|
training acquaints systems, controls, and techniques that enhance
|
|
information security and with resources available for additional
|
|
information.
|
|
|
|
"YOU'VE GOT TO CONSIDER YIELD. IT'S $19,000 PER BANK
|
|
ROBBERY AND $560,000 PER COMPUTER CRIME!"
|
|
|
|
Computer crime is a growth industry -- and so are computer
|
|
waste and abuse. Some estimates peg the increase of computer crime
|
|
at 35 percent annually and the cost $3.5 billion. One obvious
|
|
reason is the potential payoff: the average computer crime yields
|
|
an estimated $560,000; the average bank robbery, $19,000.
|
|
|
|
The computer criminal is less likely to get caught than the
|
|
bank robber -- and less likely to get convicted if caught.
|
|
Estimates of detected computer crimes are as low as 1 percent. And
|
|
the liklihood of a criminal conviction for computer fraud is less
|
|
than 1 in 10.
|
|
|
|
Deliberate computer crime is a significant part of the
|
|
picture. But wasteful and abusive practices, accidents and errors
|
|
are an even larger part. In the succint words of one noted
|
|
expert, " We bumble away far more computer $s than we could ever
|
|
steal." Those bumble dollars -- combined with the estimate of $3.5
|
|
billion annual cost of computer crime -- underscore the scopes and
|
|
seriousness of computer related losses.
|
|
|
|
A major contributor to computer related loss is the lack of
|
|
security awareness. Security awareness can stop accidents and
|
|
errors, promote adequate information security controls, prevent and
|
|
detect the wouldbe computer criminal. End User awareness of
|
|
securtiy controls provides four levels of protection for computers
|
|
and information resources:
|
|
|
|
SECURITY CONTROLS: FOUR LEVELS OF PROTECTION
|
|
|
|
Prevention -- Restricts access to information and
|
|
technology to authorized personal only;
|
|
|
|
Detection -- Provides for early discovery of crimes and
|
|
abuses if prevention mechanisms are
|
|
circumvented;
|
|
|
|
Limitation -- Resticts lossess if crime occurs despite
|
|
prevention abd detection controls; and
|
|
|
|
Recovery -- Provides for efficient information recovery
|
|
through fully documented and test contigency
|
|
plans.
|
|
|
|
|
|
Yesterday, managing technology was the technical manager's
|
|
concer. Today, managing information is every nontechnical end user
|
|
manager's concern. Managing information requires new knowledge and
|
|
new awareness by a new group of nontechnical employees. Good
|
|
information management requires recongizing opportunities for
|
|
computer crime and waste so that steps can be taken to prevent
|
|
their occurrence.
|
|
|
|
When Computers were first introduced, few were available
|
|
and only a small number of persons were trained to use them.
|
|
Computers were usually housed in seperate, large areas far removed
|
|
from programm managers, analysts, economists, and statisticians.
|
|
Today that is changed. Word processors, computer terminals, and
|
|
desktop computers are as common equipment. This electronic
|
|
equipment is rapidly becoming increasingly user-friendly so that
|
|
many people can quickly and easily learn how-to use it.
|
|
|
|
Employees with access to computer equipment and automated
|
|
information are greatly increasing throughput the organizational
|
|
hierachy. The GS-4 secretary, the GS-9 budget analyst, the GS-12
|
|
program analyst, the GS-13 statician, the GM-14 economist, and the
|
|
Senior Executive Service Manager may have all the access to a
|
|
computer terminal or word processor and the information it contains.
|
|
|
|
No longer is information restricted to select few at the
|
|
highest levels of an organization. This phenomenon has led
|
|
computer crime to be called the "democratization of crime." As
|
|
more people gain access to automated information and equipment, the
|
|
opportunities for crime, waste, and abuse likewise increase.
|
|
|
|
It's Difficult to Generalize, But...
|
|
- Functional end user, not the tecnical type and
|
|
not a hacker
|
|
- holds a non-supervisory position
|
|
- no prevoius criminal record.
|
|
- bright, motivated, desirable employee
|
|
- works long hours; may take few vacations
|
|
- Not sophisticated in computer use
|
|
- The last person YOU would suspect
|
|
- Just the person YOU would want to hire
|
|
|
|
THE COMPUTER CROOK CAN BE ANYONE
|
|
|
|
The typical computer crook is not the precocious hacker who
|
|
uses a telephone and home computer to gain access to major computer
|
|
systems. The typical computer crook is an employee who is a
|
|
legitimate and nontechnical end user of the system. Nationally,
|
|
employee-committed crime, waste, and abuse account for an estimated
|
|
70 to 80 percent of the annual loss related to computers.
|
|
Dishonest and disgruntled employees cause an estimated 20 percent
|
|
of the total computer system related loss. And they do so for a
|
|
variety of reasons.
|
|
|
|
WHY PEOPLE COMMIT COMPUTER CRIME
|
|
|
|
- Personal or Financial gain
|
|
- Entertainment
|
|
- Revenge
|
|
- Personal Favor
|
|
- Beat the system, Challenge
|
|
- Accident
|
|
- Vandalism
|
|
|
|
But a significantly lager dollar amount, about 60 percent
|
|
of the total computer-related loss, is caused by employees through
|
|
human errors and accidents. Preventing computer losses, whether
|
|
the result of debliberately committed crimes or unknowingly caused
|
|
waste, requires security knowledge and security awareness. A
|
|
recent survey reported that observant employees were the primary
|
|
means of detecting computer crime.
|
|
|
|
CLUES TO COMPUTER CRIME ABUSE
|
|
|
|
Be on the look out for...
|
|
- Unauthorized use of computer time
|
|
- Unauthorized use of or attempts to access data files
|
|
- Theft of computer supplies
|
|
- Theft of computer software
|
|
- Theft of computer hardware
|
|
- Physical damage to hardware
|
|
- Data or software destruction
|
|
- Unauthorized possession of computer disks, tapes
|
|
or printouts.
|
|
|
|
This is a beginning list of the kinds of clues to look for
|
|
in detecting computer crime, waste, and abuse. Sometimes clues
|
|
suggest that a crime has been committed or an abusive practice has
|
|
occured. Clues can also highlight systemn vunerabilities --
|
|
identify where loopholes exist -- and help identify changes that
|
|
should be made. Whereas clues can help detect crime and abuse,
|
|
conrols can help prevent them.
|
|
|
|
Controls are management-initiated safeguards -- policies or
|
|
administrative procedures, hardware devices or software additions
|
|
-- the primary mission of which is to prevent crime and abuse by
|
|
not allowing them to occur. Controls can also serve a limitation
|
|
function by restricting the losses should a crime or abuse occur.
|
|
|
|
This document addresses information security into three
|
|
areas: Information Secrurity, Physical Security, and personnel
|
|
security. In each area, crimes, clues, and controls are
|
|
discussed. In these areas not only frauds, but abuses and waste
|
|
are addressed. The final chapters provide a plan of action and
|
|
cite availably security resources.
|
|
|
|
N.I.A. - Ignorance, There's No Excuse.
|
|
Founded By: Guardian Of Time/Judge Dredd.
|
|
|
|
[OTHER WORLD BBS]
|
|
|
|
|