                 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
                 %%               N.I.A.                %%
                 %%     Network Information Access      %%
                 %%              02MAR90                %%
                 %%             Lord Kalkin             %%
                 %%              File #3                %%
                 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

:_Computer Crimes/Fraud/Waste part 1
:_Written/Typed/Edited By: Lord Kalkin


        1. COMPUTERS: CRIMES, CLUES, AND CONTROLS

                        Introduction

        The Information Age has brought aboout dramatic improvements in
way the Federal goverment does its job.  For making descisions, 
more and better information is available more quickly to more 
people than ever before.  Statistics computations that once took 
weeks, now takes minutes. And analyses that once required numerous 
programmers, a computer operator, and a large computer facility may 
now need only a nontechnical staff using software packages on 
desktop computers in their office.
 
       The General Service Administration estimates that Federal 
agencies will acquire half a million small computers by 1990.  In 
FY 1984, federal expenditures for micro and desktop computers 
totaled $137 million.  The comparable figure for FY 1983 was $34 
million.  And these statistics do not include computer terminals 
that are part of large computer systems or word processors--many of 
which can be used to store and manipulate data, as well as create 
graphics.  The Office of Management and Budget(OMB) estimates that 
#13.9 billion was spent in FY 1985 to acquire, operate, and 
maintain Federal information technology systems.

        New management problems have accompanied the increase use 
of computers and automated technology.  Terminals, often connected 
to computers that are networked together, can access vast 
quantities and different types of data.  There are publicy voiced 
concerns about privacy of information and the risks associated with 
automating and making more accessable personal, proprietary, or 
other sensitive data.  These are serious concerns about increased 
computer crimes, waste, and abuse which result in such costly 
problems as improper payments from govermant benifit programs and 
unnecessary equipment purchases.  And there is the clear 
recongition that information is a resource to be protected.

        The responsibility for protecting information resides with 
the end user manager.  This responsibility is acknowledged in OMB 
circular A-130, MANAGEMENT OF FEDERAL INFORMATION RESOURCES:

        "Agencies shall make the official whose program an 
          information system supports responisble and accountable for the 
          products of that system..." 
        
        "Because end user computing places management of 
information in the hands of the individual agency personnel rather 
than in a central automatic data processing organization, the 
Circular requires that the agencies train end users in their 
responsibilities for the safeguarding information"

        This document is designed to provide information security 
awareness training for the end user manager.  Security awareness 
training acquaints systems, controls, and techniques that enhance 
information security and with resources available for additional 
information.

        "YOU'VE GOT TO CONSIDER YIELD.  IT'S $19,000 PER BANK 
                  ROBBERY AND $560,000 PER COMPUTER CRIME!"

        Computer crime is a growth industry -- and so are computer 
waste and abuse.  Some estimates peg the increase of computer crime 
at 35 percent annually and the cost $3.5 billion.  One obvious 
reason is the potential payoff: the average computer crime yields 
an estimated $560,000; the average bank robbery, $19,000.

        The computer criminal is less likely to get caught than the 
bank robber -- and less likely to get convicted if caught.  
Estimates of detected computer crimes are as low as 1 percent.  And 
the liklihood of a criminal conviction for computer fraud is less 
than 1 in 10.

        Deliberate computer crime is a significant part of the 
picture.  But wasteful and abusive practices, accidents and errors 
are an even larger part.  In the succint words of one noted 
expert, " We bumble away far more computer $s than we could ever 
steal."  Those bumble dollars -- combined with the estimate of $3.5 
billion annual cost of computer crime -- underscore the scopes and 
seriousness of computer related losses.

        A major contributor to computer related loss is the lack of 
security  awareness.  Security awareness can stop accidents and 
errors, promote adequate information security controls, prevent and 
detect the wouldbe computer criminal.  End User awareness of 
securtiy controls provides four levels of protection for computers 
and information resources:

              SECURITY CONTROLS: FOUR LEVELS OF PROTECTION
        
        Prevention -- Restricts access to information and 
                      technology to authorized personal only;
        
        Detection  -- Provides for early discovery of crimes and 
                      abuses if prevention mechanisms are 
                      circumvented;
        
        Limitation -- Resticts lossess if crime occurs despite 
                      prevention abd detection controls; and

        Recovery   -- Provides for efficient information recovery 
                      through fully documented and test contigency 
                      plans.                    


        Yesterday, managing technology was the technical manager's 
concer.  Today, managing information is every nontechnical end user 
manager's concern.  Managing information requires new knowledge and 
new awareness by a new group of nontechnical employees.  Good 
information management requires recongizing opportunities for 
computer crime and waste so that steps can be taken to prevent 
their occurrence.

        When Computers were first introduced, few were available 
and only a small number of persons were trained to use them.  
Computers were usually housed in seperate, large areas far removed 
from programm managers, analysts, economists, and statisticians.  
Today that is changed.  Word processors, computer terminals, and 
desktop computers are as common equipment.  This electronic 
equipment is rapidly becoming increasingly user-friendly so that 
many people can quickly and easily learn how-to use it.

        Employees with access to computer equipment and automated 
information are greatly increasing throughput the organizational 
hierachy.  The GS-4 secretary, the GS-9 budget analyst, the GS-12 
program analyst, the GS-13 statician, the GM-14 economist, and the 
Senior Executive Service Manager may have all the access to a 
computer terminal or word processor and the information it contains.

        No longer is information restricted to select few at the 
highest levels of an organization.  This phenomenon has led 
computer crime to be called the "democratization of crime."  As 
more people gain access to automated information and equipment, the 
opportunities for crime, waste, and abuse likewise increase.

        It's Difficult to Generalize, But...
                - Functional end user, not the tecnical type and 
                  not a hacker
                - holds a non-supervisory position
                - no prevoius criminal record.
                - bright, motivated, desirable employee
                - works long hours; may take few vacations
                - Not sophisticated in computer use
                - The last person YOU would suspect
                - Just the person YOU would want to hire 

                  THE COMPUTER CROOK CAN BE ANYONE

        The typical computer crook is not the precocious hacker who 
uses a telephone and home computer to gain access to major computer 
systems.  The typical computer crook is an employee who is a 
legitimate and nontechnical end user of the system.  Nationally, 
employee-committed crime, waste, and abuse account for an estimated 
70 to 80 percent of the annual loss related to computers.  
Dishonest and disgruntled employees cause an estimated 20 percent 
of the total computer system related loss.  And they do so for a 
variety of reasons.

                 WHY PEOPLE COMMIT COMPUTER CRIME
                        
                        - Personal or Financial gain
                        - Entertainment
                        - Revenge
                        - Personal Favor
                        - Beat the system, Challenge
                        - Accident
                        - Vandalism

        But a significantly lager dollar amount, about 60 percent 
of the total computer-related loss, is caused by employees through 
human errors and accidents.  Preventing computer losses, whether 
the result of debliberately committed crimes or unknowingly caused 
waste, requires security knowledge and security awareness.  A 
recent survey reported that observant employees were the primary 
means of detecting computer crime.

                   CLUES TO COMPUTER CRIME ABUSE

        Be on the look out for...
                - Unauthorized use of computer time
                - Unauthorized use of or attempts to access data files
                - Theft of computer supplies
                - Theft of computer software
                - Theft of computer hardware
                - Physical damage to hardware
                - Data or software destruction
                - Unauthorized possession of computer disks, tapes 
                  or printouts.

        This is a beginning list of the kinds of clues to look for 
in detecting computer crime, waste, and abuse.  Sometimes clues 
suggest that a crime has been committed or an abusive practice has 
occured.  Clues can also highlight systemn vunerabilities -- 
identify where loopholes exist -- and help identify changes that 
should be made.  Whereas clues can help detect crime and abuse, 
conrols can help prevent them.

        Controls are management-initiated safeguards -- policies or 
administrative procedures, hardware devices or software additions 
-- the primary mission of which is to prevent crime and abuse by 
not allowing them to occur.  Controls can also serve a limitation 
function by restricting the losses should a crime or abuse occur.

        This document addresses information security into three 
areas: Information Secrurity, Physical Security, and personnel 
security.  In each area, crimes, clues, and controls are 
discussed.  In these areas not only frauds, but abuses and waste 
are addressed.  The final chapters provide a plan of action and 
cite availably security resources.

                   N.I.A. - Ignorance, There's No Excuse.
                  Founded By: Guardian Of Time/Judge Dredd.

[OTHER WORLD BBS]
