Printer Friendly

The pivotal role in computer security.


COMPUTER CRIME IS THE MODern managerial challenge. Managers have a responsibility to users, data subjects, and society to ensure computer security for legal, economic, and ethical reasons. Managers who identify vulnerabilities, calculate security risks, and take precautions to avoid computer abuse advance the goals of their organizations. Managers who fail to cope with computer security, however, are likely to harm their organizations. The question is, what approach should managers take to improve their ability to deal with computer crime?

The first step is to look at the broad categories of computer crime. Most incidents fit into one of the following groups: (1)

Physical destruction of computers. Computers can be attacked easily for purposes of vandalism or sabotage. Such attacks destroy valuable programs and data stored on the computers. Physical damage can be done by anyone who gets close to a computer or data communications facility.

Computers have been violently attacked in many ways. They have been "shot with guns, stabbled with screw-drivers, burned up with gasoline and Molotov cocktails, and blown up with plastic explosives." (2) Breaking magnetic tapes, causing read/write heads to fall on and score storage disks, and burning out electronic circuits can also cause great damage.

An example of a gun attack on a computer occurred in 1973 in Melbourne, Australia, when antiwar demonstrators attacked a US computer manufacturer and shot a computer with a shotgun. The blast resulted in its total loss. Similarly, in 1974 at a life insurance company in an eastern US state, a computer operator attacked the main computer, which he ran by himself during the night shift. Because he regularly had to cross through a high crime part of the city, it was his practice to carry a pistol. One night he became frustrated with the computer, drew his pistol, and shot the computer between the bits. The computer was seriously damaged. (3)

According to two physical security experts, "Similar incidents abound. In the last decade, at least 57 computer centers in Europe, including six bank computer centers, have been attacked by terrorists. As mentioned in several terrorist pamphlets, computer centers represent the essence of capitalism and therefore should be destroyed. Since the banking system is seen as the backbone of capitalism, computer facilities associated with banks are deemed even more attractive as terrorist targets." (4)

Involvement of computers in abusive acts. Computers are involved in many abusive acts. Financial activities can be performed by transferring credits among financial accounts within a computer and between computer systems. Sabotaging data can cause adverse effects as well.

Also, computer programs can be subject to theft. In several instances companies have been denied the use of vital programs through extortion. For example, in 1971 a small company was providing accounting services. A programmer who was hired to develop programs for the company took all copies of the programs and left. The programmer demanded $100,000 for the return of the programs and documentation. (5)

The motives for extortion and sabotage vary widely. Disgruntlement is certainly among the common causes in any work environment. Computer employees might resort to extortion if they feel they are treated inequitably. A computer supervisor in a European multinational corporation resorted to an act of sabotage because of a delay in his promotion. Although the sabotage was badly executed and the supervisor was arrested, the incident exemplifies the types of sabotage to which computer programs can be exposed. (6)

Computers as instruments of abusive acts and tools for intimidation, deception, and fraud. Computers often serve as tools for perpetrating crimes. For example, in planning an embezzlement, an accountant can use his or her private computer to run simulations at home. Similarly, a burglar with a computer can search various files of personal information from a safe location.

Computers also play a role in deceiving and frightening people. In 1971, ComputerWorld reported that a collection agency established a business of sending new invoices to people who had paid their bills a year earlier. Many people assumed they were still in debt and paid the bills. However, some people refused to pay. When they complained, the collection agency merely apologized for a computer error.

Computer output can also play an intimidating role. In congressional hearings, the Department of Defense ordinarily presents a large pile of computer reports to support its requests for money. The use of a computer and piles of computer printouts implies the information presented is correct and important. Often, when one tries to prove a point with massive amounts of computer data, the underlying goal is intimidation.

ORGANIZATIONS NEED SOPHISTIcated managers to achieve their goals. Information security has become indispensable in a world characterized by high risk, uncertainty, and unpredictability. Potential risks to an organization's information include fires, break-ins, theft, wiretapping, and hardware destruction.

Among a manager's most important responsibilities are the following:

* developing and establishing a secure computer center

* establishing procedures for physical access control to facilities

* deciding what constitutes critical information

* establishing procedures for making backup copies of data files and computer programs

* providing logs of computer use and performance

* ensuring the computer has programs that prevent erroneous processing

* providing adequate fire detection and suppression

* staffing computer centers with trustworthy and reliable people (7)

* fixing responsibility for computer security among staff

The security measures managers can take to fulfill these responsibilities fall into three groups--physical, procedural, and logical. (8) They are as follow:

Physical measures. These include door locks, guards, video monitors, desk locks, safes, card-controlled doors to restricted areas, and identification badges. Physical security must apply not only to buildings that house computer centers but also to any locations where computer terminals are located. In addition, managers must prepare for emergencies, make sure alternative power sources are available to guarantee uninterrupted processing, and have all incoming and outgoing materials inspected.

Procedural measures. Most procedural security elements involve authorizing certain actions and then auditing the results. Procedural security elements include the following:

* maintaining lists of employees authorized to enter the building

* issuing identification cards

* authorizing access to computing resources

* tracking telecommunications use

* recording the issuance of passwords, account numbers, or other identification

* processing new employees

* maintaining close working relationships with personnel managers to ensure that employee separation and reassignment result in proper security

* ensuring that departing employees have signed nondisclosure agreements or other documents designed to safeguard proprietary information (9) (especially important in technology-related organizations)

* developing office procedures for marking and handling documents containing valuable information

* setting rules on whether documents can be removed from company premises

* deciding on procedures for marking and controlling computer-generated documents

* monitoring logs of employee access to buildings, computer systems, and laboratories

Computer security problems usually occur when managers fail to provide strong controls, good employee training, proper supervision, and explicit explanations of employee responsibilities. Failure to inform employees of information security policy, the value of the information, and employee responsibilities may leave the company without legal standing should a crime occur.

Logical measures. These measures relate to software program and hardware features and functions. They control who uses computer resources and what the authorized users may do. When properly used, logical security measures make information stored or processed on a computer more secure than information in mental or written form.

However, logical security elements are expensive. Thus, many microcomputers and office systems have few or no effective security measures built into them. The user must provide security with imaginative and sometimes unusual constructions of hardware and software barriers.

A special type of logical security element is called encryption. Encryption is "the encoding or masking of information through the use of a complex algorithm that converts an intelligent information stream (clear text) into a nonrepetitive substitution character stream (encrypted)." (10) Without the code key, such an encoded stream of information is virtually undecipherable, even by experts with computers. Encryption is a strong logical security element and might eventually become the major security protection for all high value information.

Other forms of logical security have to do with access management, which is the process of implementing, operating, and monitoring controls over the use of computers. Access management systems have three important components: identification, authentication, and authorization.

Identification is the claim that a person or program is who or what he, she, or it claims to be. The claim is supported by the offer of something the claimant knows or possesses. That something is called a token and could be an identification number, magnetic card, fingerprint, voice, handprint, or answer to a question.

Authentication is a proof of the claim. The token is different from the one used in the identification step. To be effective, the token must be secret. The most common token used for authenticating a claimed identity is a password. "Passwords can be any sequence of characters (for example, letters, symbols, or numbers). When entered correctly, they serve to control access by verifying the user's identity. They must be of such a complexity and length to limit the possibility of discovery by accident or systematic guessing." (11)

The problem with passwords, however, is that they could be forgotten, written down where others might see them, or shared. The most common difficulty with a password is the user's propensity to choose one that is easy to remember and hence easy for others to guess.

That is why recent technology offers more effective tokens than passwords. Among the most important tokens are fingerprint scans, voice pattern recognition, hand geometry measurements, and retinal scans. These measures provide highly reliable individual authentication that can ensure real control over the use of computers.

Authorization is the question of who may do what. It establishes which users are authorized access to which types of data and what actions they may take with the data. The authorizations granted to a user must always be specific, such as whether the user may read a file, add to a file, create a file, carry out a transaction, or execute a program.

Users with access to a computer system are generally limited to certain parts of the data or memory. (12) This storage partitioning protects information from unauthorized users. Computer access control may also place limits on the use of programs and procedures. (13)

Managers should see that physical controls are installed and maintained to protect the hardware, software, tapes, and disks against natural disasters, power failures, sabotage, and other threats. They should make sure a risk analysis is performed before the approval of design specifications for an installation and whenever a significant change is made to the physical facility, hardware, or operating system software.

Checklists for preventing computer crime are useful but do not provide absolute solutions. In fact, absolute solutions as rarely economically worth-while. The cost of prevention "must be less than the expected loss that could be sustained without the prevention. Absolute prevention is only a theoretical concept." (14)

Stanford Research Institute has introduced a new method for computer security: scenario analysis. The method is based on an analysis of the assets, threats, and risks a company faces. The analysis is followed by the development of a set of scenarios that depict the various likely threats. These scenarios are played out against the computer center in theory, with an eye toward uncovering weaknesses in security. (15)

Recent virus attacks on sensitive computer networks illustrate the severity of the computer crime threat and call for more drastic, stringent, and selective measures to cope with the problem. The Computer Fraud and Abuse Act of 1986, the Computer Security Act of 1987, and the Computer Virus Eradication Act of 1988 have been designed to combat and eliminate computer crimes by providing necessary legal powers to prosecute offenders.

However, as Senator Patrick Leahy (D-VT) pointed out, "We can pass laws that make criminal penalties for unauthorized access to computers, but we also need improvements to increase security. It is a sad truth of modern life that laws against burglary will never safeguard a home like good locks." (16)

Various devices on the market claim to vaccinate computers, make them bug-free, alert users to intrusions, thwart penetration, and even counterattack invaders. In spite of these technological innovations, combating computer crime remains the job of managers.

(1) Report on Crimes Involving Electronic Funds Transfer, US Department of Justice (Washington: 1983).

(2) Donn B. Parker, Crime by Computer (New York: Charles Scriber's Sons, 1976), p. 12.

(3) Parker, p. 17.

(4) Arnon Rosen and John Musacchio, "Computer Sites: Assessing the Threat," Security Management, July 1988, p. 40.

(5) Parker, p. 18.

(6) Parker, p. 20.

(7) Parker, p. 20.

(8) James A. Schweitzer. Computer Crime and Business Information (New York: Elsevier, 1986).

(9) These functions have been adapted from Computer Crime, Computer Security Techniques, US Department of Justice (Washington: 1984), p. 35.

(10) Schweitzer, p. 97.

(11) Philip Kropatkin, Management Principles for Asset Protection: Understanding the Criminal (New York: Wiley, 1986), p. 289.

(12) Kropatkin, p. 292.

(13) Kropatkin, p. 292.

(14) Kropatkin, p. 292.

(15) Donn B. Parker, Fighting Computer Crime (New York: Charles Scribner's Sons, 1976), p. 279.

(16) Jeff Gerth, "Intruders into Computer Systems Still Hard to Prosecute." The New York Times, November 5, 1988, p. 10.

Mahdi ElBaghdadi, PhD, is an assistant professor of political science and public administration, and Mahendra P. Singh, PhD, is an assistant professor of criminal justice, both at Grambling State University in Grambling, LA. Singh is a member of ASIS.
COPYRIGHT 1989 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1989 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:El-Baghdadi, Mahdi; Singh, Mahendra P.
Publication:Security Management
Date:Jul 1, 1989
Previous Article:The past predicts the future.
Next Article:Crime Prevention: Approaches, Practices, and Evaluations.

Related Articles
Testing Tortillas.
Tea Council Ecology Module.
AFGHANISTAN - Nov. 6 - UN Outlines Plan For Post-War Administration.
Venture Firm Merges Pivotal with Talisma.
Drucker award to London's pivotal.

Terms of use | Copyright © 2016 Farlex, Inc. | Feedback | For webmasters