                 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
                 %%               N.I.A.                %%
                 %%     Network Information Access      %%
                 %%              03MAR90                %%
                 %%            Lord Kalkin              %%
                 %%              File #4                %%
                 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

:_Computers: Crime, Fraud, Waste Part 2
:_Written/Typed/Edited By: Lord Kalkin
:_Information Security


                        2. INFORMATION SECURITY

        What was called computer security in the 1960s and data 
security in the 1970s is today more accurately called information 
security.  Information security underscores the value of 
information in today's society -- the recongition that information 
is a valuable resource, that it is more than discrete data elements. 

        Information security refers to the controls that protect 
information from unauthorized access, destruction, modification, 
disclosure, and delay.  Information security addresses safeguards 
in the processes of data origination, input, processing, and 
output.  The goal of information security is to safeguard the 
system's assets, to protect and ensure the accuracy and integrity 
of information, and to minimize the damage that does occur if the 
information is modified or destroyed.  Information security 
requires accountability for all events that create, modify, provide 
access to, or disseminate information.

        Information security provides assurances that the following 
are achieved:

        - Confidentiality of sensitive information;
        - Integrity of information and the related process 
          (origination, input, processing, and output);
        - Availability of information when needed; and
        - Accountability of the related information processes.

        Some techniques to protect the system and provide 
accountability can be built into the computer.  Others can be built 
into the software.  Still others are dependent upon management 
policies to define appropiate procedures to be followed.  Deciding 
upon the level of sophistication of accountability techniques for a 
system requires identifying the sensitivity of the information and 
then determining the appropiate level of security.

        This document addresses sensitive data as defined in OMB 
Circular A-130, Management of Federal Information Resources:

                The Term "sensitive data" means data that require 
protection due to the risk and magnitude of loss or harm that could 
result from the inadvertant or deliberate disclosure, alteration, 
or destruction of the data.  The term includes data whose improper 
use or disclosure could adversly affect the ability of an agency to 
accomplish its mission, proprietary data, records, about 
individuals requiring protection under the Privacy Act, and data 
not releasable under the Freedom of Information Act.

         

                    CRIMES, ABUSES, AND WASTE

        A survey of goverment agancies identified techniques used 
in committing computer-related fraud and abuse.  Few of these 
frauds and abuses involved destruction of computer equipment or 
data.  Only 3 percent of the frauds and 8 percents of the abuses 
involved willful damage or destruction of equipment, software or 
data.  Most of the fraud and abuses cases involved information -- 
manipulating it, creating it, and using it.

        THE FIVE MOST COMMON TECHNIQUES USED TO COMMIT 
               COMPUTER-RELATED FRAUD AND ABUSE  

        Computer-Related Fraud
                1. Entering unauthorized information
                2. Manipulating authorized input information
                3. Manipulating or improperly using information 
                   files and records
                4. Creating unauthorized files and records
                5. Overriding internal controls

        Computer-Related Abuse
                1. Stealing computer time, software, information, 
                   or equipment.
                2. Entering unauthorized information
                3. Creating unauthorized information fileas and 
                   records
                4. Developing computer programs for nonwork purposes 
                5. Manipulating or improperly using computer 
                   processing    

           These techniques are often used in combination and are 
identified in Computer-Related Fraud and Abuse in Goverment 
Agencies, Department of Health and Human Services, Office of 
Inspector General, 1983.

        Another way of looking at computer-related crime is to  examine  
the types of crimes and abuses, and the methods used to commit them.  
These include:

"Data Diddling" - Probably the most common method used to commit 
             computer crime because it does not require 
             sophisticated technical knowledge and is relatively 
             safe.  Information is changed at the time of 
             input to the computer or during output.  For example,
             at input, documents may be forged, valid disks 
             exchanged, and data falsified.

"Browsing" - Another common method of obtaining information which can 
             lead to crime.  Employees looking in others' files have 
             discovered personal information about coworkers.  Ways to 
             gain access to computer files or alter them have been found 
             in trash containers by persons looking for such information.  
             Disks left on desks have been read, copied, and stolen.  
             The very sophisticated browser may even be able to look for 
             residual information left on the computer or on a storage 
             media after the completion of a job.

"Trojan Horse" - This method assumes that no one will notice that a 
             computer program was altered to include another function 
             before it was ever used.  A computer program with a 
             valid, useful function is written to contain additional 
             hidden functions that exploit the security features of 
             the system.

"Trap Door" - This method relies on a hidden software or hardware 
             mechanism that permits system protection methods to be 
             circumvented. The mechanism is activated in some 
             nonapperent manner.  Sometimes the program is written so 
             that a specific event, e.g., number of transactions 
             processed or a certain calender date, will cause the 
             unauthorized mechanism to function.

"Salami Technique" - So named because this technique relies on taking 
             slices so small that the whole is not obviously affected.  
             This technique is usually accomplished by altering a 
             computer program.  For example, benefit payments may be 
             rounded down a few cents and these funds, which can be  
             considerable in the aggregate, diverted to a fraudulent  
             acount.

"Supperzapping" - Named after the program used in many computer centers 
             which bypasses all system controls and is designed to be used 
             in time of an emergency.  Possession of this "master key" 
             gives the holder opportunity to access, at any time, the 
             computer and all of its information.

        Examples of Compuer-Related crimes, abuses, and waste include:

        - A payroll clerk, notified of a beneficiary's death, opened a 
          bank account using the beneficiary's name and social security 
          number. The beneficary was not removed from the computer 
          eligibility lists, but a computer input form changed the 
          address and the requested direct deposit of benefits to the 
          payroll clerk's new bank acount.

        - A major loss occurred with the diversion of the goverment 
          equipment.  Fictitious requisitions were prepared for routine 
          ordering at a major purchasing centor.  The rquisitions directed 
          shipment of communications equipment to legitimate private 
          corporations holding goverment contracts.  Just prior to the 
          delivery date, one of the conspirators would call the corporation 
          to alert them of their "error" and arrange "proper" delivery of 
          the equipment to the conspirators.

        - Three data clerks, using a remote terminal, entered phony 
          claims into the computer to recieve over $150,00 in benefits 
          and then deleted records of these transactions to avoid being 
          caught.

        - Thefts of information commonly involve selling either 
          personnel information, contract negotiation information
          ( e.g., contract bids), and company proprietary information 
          (e.g., product engineering information ) for outside commercial 
          use, or copying or using software programs for personal or 
          personal business use.

CLUES
        The following clues can indicate information security 
vulnerabilities: 

        1. Security policies and practices are nonexistant or not 
           followed.  No one is assigned responsibility for information 
           security.
        2. Passwords are posted nest to computer terminals, written in 
           obvoius places, shared with others, or appear on the computer 
           screen when they are entered.
        3. Remote terminals, microcomputers, and word processors are 
           left on and unattended during work or nonwork hours.  Data 
           is displayed on unattended computer screens.
        4. There are no restrictions on users of the information, or on 
           the applications they can use.  All users can access all 
           information and use all trhe system functions.
        5. There are no audit trails, and no logs are kept of who uses 
           the computer for which operation.
        6. Programming changes can be made without going through a 
           review and approval process.
        7. Documentation is nonexistant or inadequate to do any of the 
           following: understand report definitions and calulations; 
           modify programs; prepare data input; correct errors; 
           evaluate system controls; and understand the data base 
           itself -- its sources, records, layout, and data relationships.
        8. Numerous attempts to log on are made with invalid passwords.  
           In dialup systems -- those with telephone hookups -- hackers 
           have programmed computers to do this "trial and error" guessing 
           for them.
        9. Input data is not subject to any verification or accuracy 
           checks, or, when input data is checked:
               -- more data is rejected;
               -- more data adjustments are made to force 
                  reconciliation; or
               -- there is no record of rejected transactions.
        10. There are excessive system crashes.
        11. No reviews are made of computer information to determine the 
            level of security needed.
        12. Little attention is paid to information security.  Even if 
            an information policy exists, there is a prevailing view 
            that it really is not needed.

                     INFORMATION SECURITY CONTROLS

 1. Control access to both computer information and computer 
applications.  Ensure only authorized users have access.

        User Identification:
        
        Require users to log on to the computer as a means of initial 
identification.  To effectively control a microcomputer, it may be most 
cost-effective to use it as a single user systems.  Typically, a 
microcomputer has no log-on procedures; authority to use the system is 
granted by simply turning on the computer.
        
        User Authentication:

        Use nontransferable passwords, avoiding traceable personal data, 
to authenticate the identity of the users.  Establish password 
management protection controls, and educate users to common problems.

        Other Controls:

        Passwords are one type of identification -- something users 
knows.  Two other types of identification which are effective are 
somthing that a user has -- such as a magnetic coded card -- or 
distinguished user characteristic -- such as a voice print

        If the computer has a built in default password ( a password 
that comes built into the computer software and overrides access 
controls ) be sure it gets changed.

        Consider having the computer programmed so that when the user 
log on, they are told the last time of its use and the number of invalid 
log-on attempts since then.  This makes the user an important part of 
the audit trail.

                     Protect your Password

        - Don't share your password -- with anyone
        - Choose a password that is hard to guess
        - Hint: Mix letters and numbers, or select a famous saying and 
          select every fourth letter.  Better yet, let the computer 
          generate your password.
        - Don't use a password that is your address, pet's name, 
          nickname, spouse's name, telephone number or one that is 
          obvious -- such as sequential numbers or letters.
        - Use longer passwords because they are more secure; six to 
          eight characters are realistic
        - Be sure that your password is not visible on the computer 
          screen when it is entered.
        - Be sure that your password does not appear on printouts
        - Do not tape passwords to desks, walls, or terminals.  Commit 
          yours to memory.   <<---- Remember this!!!

                    Manage Passwords Carefully

        - Change passwords periodically and on an irregular schedule
        - Encrypt or otherwise protect from unauthorized access the 
          computer stored password file.
        - Assign password administration to the only most trusted 
          officials.
        - Do not use a common password for everyone in an area.
        - Invalidate passwords when individuals leave the organization.
        - Have individuals sign for their passwords.
        - Establish and enforce password rules -- and be sure everyone 
          knows them.

        Authorization Procedures:

        Develope authorization procedures that identify which users have 
access to which information and which applications -- and use 
appropriate controls.
        
        Establish procedures to require management approval to use 
computer resources, gain authorization to specific information and 
applications, and recieve a password.

        File Protection:

        In addition to user identification and authorization procedures, 
develope procedures to restrict access to data files:

        -- Use external file and internal file labels to identify the 
           type of information contained and the required security levle;
        -- Restrict access to related areas that contain data files such 
           as off-site backup facilities, on-site libraries, and 
           off-line files; and
        -- Use software, hardware, and procedural controls to restrict 
           access to on-line files to authorized users.

        System Precaution:
        
        -- Turn off idle terminals;
        -- Lock rooms where terminals are located;
        -- Position computer screens away from doorways, windows, and 
           heavily tracked areas;
        -- Install security equipment, such as devices that limit the 
           number of unsuccessful log-on attempts or dial-back would be
           users who use telephones to access the computer;
        -- Program the terminal to shut down after a specific time of 
           non-use; and,
        -- If feasible, shut down the system during nonbusiness hours.

------

2. Protect the integrity of information.  Input information should be 
   authorized, complete, accurate, and subject to error checks.

        Information Integrity:

        Verify information accuracy by using procedures that compare 
what was processed against what was supposed to have been processed.  
For example, controls can compare totals or check sequence numbers.

        Check input accuracy by installing checks on data validation and 
verification, such as:
         
        - Character checks that compare input characters against the 
          expected type of character (e.g., numeric or alpha );
        - Range checks that compare input data against predetermined 
          upper and lower limits;
        - Relationship checks that compare input data to datat on a 
          master record file;
        - Reasonableness checks that compare input data to an expected 
          standard; and,
        - Transaction Limits that check input data against 
          administratively set ceilings on specific transactions.

        Trace transactions through the system using transaction lines.

        Cross-check the contents of files by doing a record count, or by 
controlling the total.

-----

3. Protect System software.  If software is shared, protect it from 
undetected modification by ensuring that policies, developemental 
controls and life cycle controls are in place, and that users are 
educated to security policies.

        Software developemental controls and policies should include 
procedures for changing, accepting and testing software prior to 
implementation.  Policies should require management approval for 
software changes, limit who can make software changes, and address 
maintaining documentation.

        An inventory of software applications should be developed and 
maintained.

        Controls should be installed that prevent unauthorized persons 
from obtaining, altering, or adding, programs via remote terminals.

-----

4. Enhance the adequacy of security controls by involving ADP auditors 
in evaluating applications program controls and consulting them to 
determine needed tests and checks in handling sensitive data.  Audit 
trails built into computer programs can both deter and detect computer 
fraud and abuse.

        Security audit trails should be available to track the identity 
of users who update sensitive information files.

        If the sensitivity of information stored on microcomputers 
requires audit trails, then both physical and access controls are 
essential.

        In a computer network, the host computer, not the terminal, is 
where the audit trails should be located.

        Audit trails should not be switched off to improve processing 
speed.

        Audit trail printouts should be reviewed regularly and frequently.

------

5. Consder the need for communication security.  Data transimitted over 
unprotected lines can be intercepted or passive eavesdropping can occur.

                   N.I.A. - Ignorance, There's No Excuse.
                  Founded By: Guardian Of Time/Judge Dredd.

[OTHER WORLD BBS]
