Printer Friendly

The global problem of computer crimes and the need for security.

The Global Problem of Computer Crimes and the Need for Security

Today's widespread use of computers in daily activities has also added to the increased possibilities of computer manipulations and crimes. This has become a big strategic as well as legal issue where a lot of money is being lost due to computer crimes. In this article various types of computer crimes are explained and some of the factors are discussed which are contributing to this growing problem. Although there are things that could be done and steps that could be taken to cut down the pervasiveness of computer security problems, because of the rapid advancements in computer technology the "awareness" of the problem and periodic security audit is probably the most important measure against computer crimes. Computer crime has become a big issue in today's society, with losses of large amounts of money and valuable data. Ernst & Whinny estimates computer fraud losses at more than $3 billion a year (Crysler & Keller, 1988). This sum is very great and costly to many corporations. Computer tampering is now a crime in 48 states; Virginia and Vermont being the only exceptions. The penalties range up to 100,000 in fines and/or 10 years in jail (Aaland, 1988). But are these penalties enough to cut back on the crime when one considers that most of these cases are not even reported, and the pay-off is often times very great. Many companies fear adverse publicity, lawsuits by person whose records have been exposed, and charges that their computer systems are not secure. Therefore, only a few companies choose to press charges against computer trespassers (Gilbert, 1989). While the average bank robbery nets a thief about $5,000 the average loss per computer crime is $300,000. Personnel involved in computer break-ins generally know the system applications. Having worked or are working in the firms where the break-ins take place (Irwin, 1989).

Although some acts of computer crimes by employees may be partly motivated by the hope of financial gain, most appear to have been committed for other reasons. A primary motivation for many such crimes is retaliation against management for policies or personnel actions (Crin & Leap, 1989). This brings up the question of the importance of computer security. The importance of computer security is evident in the increased spending since 1985. In 1986 8 percent of the average security budget was devoted to computer protection, while in 1988 that number reached 12 percent (Lydon, 1988). Nevertheless, the comprehension of computer security needs are still low. In a recent study it was found that out of 1200 small businesses using computers extensively, only 15 percent had developed computer security measures of some sort (Bradford, Norris & Kahai, 1990).

The advent of the personal computer has greatly affected the outlook toward computer security. Now with 35 to 40 million PCs in the work place, companies large and small alike, are vulnerable to computer crimes (Aaland, 1988). This paper discusses some of these computer crimes, what causes them and some other factors relating to problems affecting computer security. According to Farhoomand (1989) the percentage of the firms affected by one or more computer related problems in 1988 were as follows: utilities failure (80.8 percent), inadequate control (75.6 percent), compliance failure (73.1 percent), improper guidance (67.9 percent), environment support breakdown (64.1 percent), electro magnetic discharges (43.6 percent), liquids (29.5 percent), electronic intrusion (29.5 percent), fraud and embezzlement (16.7 percent), gases (11.5 percent), physical intrusion (10.3 percent), service loss (7.7), vandalism (7.7 percent), sabotage (6.4 percent), living organisms (2.6 percent), projectiles (2.6 percent), and earth movements (1.3 percent). It is obvious that a sizable number of computer related problems occur due to deliberate criminal acts.

Is Ignorance Bliss?

Against such a background it is not surprising that computer crimes have become increasingly attractive for individuals targeting their present or former employers or other organizations, as well as for corporations trying to gain a competitive advantage. In the latter case, reporting, let alone prosecution is almost non-existent. Even if detected, relevant problems are solved "internally" by either stepping up security measures as a passive response, or by "settlements" between the organizations involved. Fear of publicity, an indirect admission of incompetence, and the potential loss of customers and credit ratings are common reasons behind such management decisions.

Management of most organizations do not realize the value of prevention in the area of computer security, but waits in ignorance until an incident occurs or is detected. Generally speaking, the degree of awareness pertaining to aspects of computer security is very low. Executives, often educated before the computer revolution, frequently suffer from symptoms of "computer paralysis." They succumb either to a certain "fascination effect," which creates a "blind believer" in the power and abilities of computers, or they ignore the problem, leaving it almost entirely to the data processors and programmers. The lack of a sober and realistic approach seems to be dominating, and executive computing (Cottschalk, 1985) is still the exception, not the rule. A study conducted by the University of Minnesota found that a company relying on its computer system for its operations will lose over 90 percent of its operating ability within an average period of 10 days after a computer "wipe-out," including almost all MIS (Management Information Systems) data needed for both routine and special decision-making. Most companies in such a situation and without the precautionary setup of an appropriate backup system will go under (Scoma, 1985). The saying "ignorance is bliss" is most certainly not applicable in terms of computer security.

Factors Contributing to the Increase in Computer Crimes

There are many factors which could be attributed to the trend of increasing computer crimes. The most obvious is the growth which has come about because of computers and the computer related work force. This also increases the number of potential perpetrators. On the average, 31 percent of the employees at responding companies, in a survey, are computer active as compared to 24 percent just two years ago (Lydon, 1988). The rising degree of "computer dependency", coupled with higher vulnerability is an important factor. In today's society there are many economic sectors which would nearly, if not entirely, cease to function if for some reason their computer base was eliminated. Some of the examples are: airlines, banks, stock exchanges, telephone and communication systems.

The rapid growth of the computer industry, has led to the supplying of more powerful equipment in even larger numbers (Kelly, 1985). Also increase is attributed to the inherent complexity of electronic devices by which a criminals acts can be easily hidden, and chances for detection are lower than before. Valuable information in electronic memories are vulnerable to nearly untraceable tampering (Woods, 1988). Another factor is the failure of the legal system to act as a meaningful deterrent. A Federal Bureau of Investigation study reports that only one in 20,000 computer criminals ever go to jail (Nawrocki, 1987). Many small and mid-sized firms are giving their work to a remote processor who handles a multitude of similar clients at his own location, or to a facilities manager (Simon, 1986) who physically moves his own equipment in. This cross referencing of data, brings forth even more security problems. Where external access and network environment are common, the chances of computer crime increase 50 percent (Lydon, 1988).

Another factor is that in many instances the management does not know that their system is weak. One in 10 companies falls victim to an average of two computer crimes each year. Each costs $5,000 in immediate losses, and yet in recent years fewer security people seem concerned about undetected computer crimes (Lydon, 1988). Although, some firms are now hiring hackers to attempt to break into there system in order to find weaknesses, computer crime will never be completely eliminated because the elements of control are, themselves, subject to human error and manipulation (Barlow, 1988).

Sophistication of the computer criminal profile is yet another factor. Numerous studies, for example, Parker, 1979: Wagner, 1979; and Ivancevitch, 1983, repeatedly emphasize the fact that the typical computer criminal is ambitious, bright, young, well educated, energetic and highly persistent individual. Frequently, his dangerous activities start with pranks and lead to challenging his wits against more sophisticated systems, and this can lead to a criminal act. The wide spread use of Electronic Fund Transfers (EFTs) also promotes a problem. In this the banking system moves very large amounts of cashless currency at very high speeds both within and outside of the country. These large transactions present strong temptation to a computer criminal.

Awareness as the Key?

The list of the factors mentioned above is by no means exhaustive but is sufficient to highlight the general trends and tendencies to which management is subjected. Relatively little could be done in a direct way to escape the effects of such a general |electronic environment'. The security manager is rather restricted to respond in a more indirect way with caution and a number of specific measures matching his particular needs. Such measures shall be discussed separately. Before deciding on such security measures, management should first be aware of the various kinds of misuses and crimes to be expected in the area of computer security. Without such a thorough knowledge, the design of the security system could be flawed in scope, costs and efficiency, being either too rigid or too lax. Thus, increased awareness and a change in management attitude are imperative.

Types of Misuses and Crimes

Not only is the number of computer crimes committed on the rise, but equally disturbing is the spreading variety of misdeeds and the constantly increasing degree of sophistication. Several examples within the following categories of computer-related security violations pertaining to people, their specific actions, and the particular types of crime have been reported.

Viruses

In today's computing world computer viruses have become a gigantic problem. As computer usage increases and our reliance on them is greater then ever the problem will grow.

An electronic virus hides inside a program waiting to replicate and attach itself to other programs. Its effect varies and is completely dependent on the virus' creator (Keizer, 1988). These viruses can range, as to the extent of damage, from harmless practical pranks or messages to the loss of very important data and information which can prove to be very costly.

A computer virus is created by a programmer who writes a tiny bit of computer code, which can attach itself to other programs and alters them or destroys data kept on a computer disk. The virus also reproduces itself by copying itself to other programs. The virus may take its cue from the internal clock/calendar that most computers use to time-stamp their work. The virus seizes control of the computer and works its mischief. Then it sometimes taunts the victim with a message such as "Gotcha!" (Hafner, 1988).

A virus may have four different phases. The dormancy phase is there to install a sense of trust in the user since the virus does not propagate or do damage during this phase. The propagation phase is all that is necessary for the program to be considered a virus. The triggering phase is launched by some occurrence, such as a certain date or a particular number of replications. The damaging phase does the actual harm that the author intended the virus to do (Greenberg, 1989).

What is clear, however, is that a once rare electronic "disease" has suddenly reached epidemic proportions. Across the U.S. it is disrupting operations, destroying data, and raising disturbing questions concerning the vulnerability of information systems. Since viruses can travel from one place to another as fast as a phone call a single strain can quickly turn up in computers hundreds of miles apart. Many of America's 3,000 electronic bulletin-board systems have suffered some kind of infection as have hundreds of users groups and thousands of businesses. However, real disaster has been avoided thus far, no killer virus has penetrated the country's electronic fund transfer systems, the stock or commodity exchange computer centers, no insurance company rolls have been wiped out, no pension funds have had there records scrambled, no air-traffic control systems have been grounded to a halt, and the U.S. military- defense system remains largely uncompromised. Although there have been reports of virus attacks at both the FBI and the CIA. But most experts warn that the worst is yet to come (Elmer-Dewitt, 1988).

Physical Damage or Destruction

Typical occurrences of physical manipulations or attacks include among others the following:

* Sabotage by physical destruction of facilities. Reported were cases involving cars, trucks, sledgehammers, guns, tools, knives, glue, water, acids, and explosives.

* Arson by gasoline of computer units, targeting competitors or government agencies.

* Destruction of processing and memory units by acid or planned overheating or flooding of facilities.

* Partial eradication of data by running magnets over storage units.

Financial Deception, Fraud and Theft

Gaining a financial advantage remains the main objective of a computer manipulation of this kind. Some of the more common variations include the following with either authorized (insiders) or unauthorized (outsiders or insiders) access:

* Generating fraudulent input records: for example, creating falsified collection, delivery or tax related loss records, or coding blank deposit slips and leaving them in the customer area of a bank. According to the invisible instruction, funds may be channeled into one account. A criminal could gain some $100,000 within hours and before the fraud would be detected.

* Manipulation of processing. Dishonest programmers plant |program traps' or |sleepers' into the instructions, which, when activated at any convenient time by the programmer, will bypass all safeguards, and allow the designer to siphon off amounts of cash or merchandise using an impostor terminal. Also quite common are modification or credit files to improve ratings, or changing billing codes and delivery instructions in favor of the programmer.

* Misappropriation of output. Ten million dollars was misappropriated via computer manipulation by Stanley Rifkin from the Security National Bank, which had weak computer center security. Millions of gallons of heating oil from Exxon's Bayview refinery were misappropriated by altering computer files on purchasing quantities, losses and allocations. In one department store, operators processed orders to divert store goods to accomplices. Full priced basketball and football tickets were sold and transactions electronically recorded as half price sales to disabled spectators, pensioners or other entitled groups. This kind of fraud is usually detected because the clerk(s) involved overdo it (for example, if there are more disabled in the stadium than registered in the whole state).

* Manipulation of software. Alterations involved, for instance, commodity fund transfers, funds distributed to winning bets of dog, horse, or car races, baseball or football games, electronically calculating odds and the number of winners and losers and the relevant amounts of dollars in favor of the conspirators. In one case the program calculating the daily interest rates of accounts was altered such that all fractions of penny amounts were rounded down, and the tiny amounts channeled into the account of the programmer. Since each customer lost on average only half a cent per calculation, the scheme was only detected by accident, after some 10,000 dollars had already accumulated in the account. Manipulation could occur before or after the software has been bought (or sell-designed) and installed.

* Unlawful change of time sharing portions at the expense of other time- sharing partners by manipulating the billing or time-measuring system. For example, if each of the 80 partners were overchanged by only 1 percent of the actual, a scheme could go on for years before being detected by accident, if ever. Meanwhile, the fraudulent company would be charged only a small fraction of the real amount of service rendered.

* Fake billing. One collection agency rebilled customers who generally trust the computer billing system but had actually paid the bills the previous year. Many paid again, unaware of the double charge. In another instance, insurers were charged by hospitals or laboratories for medical tests, some of which had never been performed. Since there is normally no feedback between a patient and the insurer, such a scheme could go undetected forever.

* Electronically altering college grades, social security, employment, welfare, pension, food stamp, war veteran, disability and other data for financial gain.

Intellectual Property Fraud and Theft

An intellectual or indirect financial gain (opportunity cost avoidance) characterize this kind of security breach. Fairly common are the following types:

* Illegal computer system entry and copy of personnel, customer or payroll files, banking deposit and/or withdrawal records, population files or registers. Such information is usually sold to the competition of the victim, other interested parties, foreign powers, or used for own personal purposes.

Obtaining unauthorized information regarding: computerized credit ratings, financial transactions, sales records, production data, design secrets, patents, licensing or manufacturing data (CAD/CAM), marketing and financial planning information, texts from word processors, stored book chapters, personnel or medical files.

Various violation of copyrights, involving nationally or internationally protected rights.

Breaking into research computer files, and obtaining the results of experiments, surveys, model applications, simulations, or tests, especially of a long-term nature, involving large amounts of time, costs and effort.

Other Types of Misuse

There is a variety of other kinds of computer misuse with new types frequently being reported. Samples of this kind include the following: (It should be noted that the boundaries with the other types of misuse are somewhat fluid and a certain degree of overlapping is unavoidable).

Tapping wires to commit a "cashless crime." Bogus telex and electronic orders supposedly sent by a Nigerian bank to a New York bank resulted in the transfer of $21 million to overseas accounts which were never recovered (Bequal, 1986).

Blackmail and extortion. Hackers, terrorists, common criminals, desperate employees, or political radicals could threaten to sabotage or destroy computer facilities or wipe our data banks, forcing business or governments to comply with their demands. One drastic example could be: the wiping out of the Social Security data with hundreds of millions of individuals and companies' records on file, including the destruction of a possible backup system.

Theft by impostors. Bank customers withdrawing cash at ATM's were interrupted by conspirators, posing as employees of the bank or service personnel claiming that a repair had to be done, stealing claimed funds but not yet paid out.

Blocking access or outputs for customers of competitors, for example, of mail ordering or text editing companies.

Theft of computer time by illegally obtaining passwords (many hardware producers deliver machines with passwords openly printed out), or by programming the PC to run through millions of password combinations until the real one has been found. The PC and access approval unit could communicate silently and un-observed for any length of time.

Hardware theft. Integrated circuits, semiconductors or memory chips stolen for resale, or the theft of entire company computers or their physical components.

Sabotage by disgruntled, disloyal, dissatisfied or bribed employees who purposely erase memories or instructions partially or totally, or insert self-destruction programs. They are often able to hide the manipulation by additional cover up programs.

Manipulation of stock prices by reporting false computerized profit or loss figures of companies.

Influencing public opinion and credibility of individuals or organizations with falsified data misusing the public trust in computer- generated documentation. Examples include: lists, financial information, polls, voting results, bills, product quality records, and educational or funding allocation records.

One or a combination of such violations could cause a temporary or continuous crime exposure, with or without a partial or total malfunction of an organization's computer system.

Groups or Individuals Involved

There are various groups or individuals who must be considered when planning, implementing, and maintaining computer security measures. They include:

* Dissatisfied employees, including managers, executives and in exceptional cases even security personnel. They can act alone or together, with or without inside help. Sometimes they just want |to get even.' One casual sweep with a skin-colored small, flat but powerful magnet glued to the inside of a human hand, over a magnetic tape could cause havoc as soon as the tape is used again, without visible proof or damage of any kind. A good personnel record and a carefully conducted screening procedure is no guarantee that a potential employee will not manipulate the computer system. It only means that the chances are lower.

* Disgruntled ex-employees seeking revenge.

* Puzzle-solvers or experimenters who want to match their ability with the system. They usually do not intend to cause harm with their intellectual exercises, but frequently do.

* Hackers (freaks) breaking into the system.

* Unintentional misuse of the system. The proof of criminal intent usually poses a dilemma, since no system is free of human errors.

Specific Activities

The specific activities of the above-mentioned groups or individuals pertaining to computer manipulations may include one or a combination of the following:

* Using the system for unauthorized private projects during hours or after hours (time theft).

* Bribing insiders or hiring expert help from the outside to breach the computer security system.

* Breaking codes and password access security, falsifying access or identity cards or other means of access.

* Copying data or programs.

* Altering instructions, files or data, deviating from the original.

* Deleting some or wiping out completely memories or instructions, by means of unauthorized instructional inputs or physical forces such as magnets.

* Exchanging complete sections or units of software.

* Implanting elements of hardware, such as microphones, transmitters or various manipulation devices.

* Tapping signal transmissions.

* Adding signals to the original flow (|piggyback').

* Jamming, scrambling or disturbing signal flows. Management should note that the basic rule: "If you want to prevent crime, you have to think like a criminal" fully applies, especially in the area of computer security.

Structuring Security Policies by Information Management

In view of the facts and trends mentioned above, management should pay renewed attention to its computer-supported information and operation system within a typical abuser-friendly environment. Particularly, the security aspects in terms of both quality and scope seem to be in urgent need of reconsideration. The current situation can be summarized as follows.

The rate of misuse, security breaches and crime in the computer area is fast growing in both number of incidents and severity.

There is an awareness or credibility problem. Managers of most organizations are still |disbelievers', and to them the dangers are exaggerated by sensational media reporting. The real chances for electronic disaster are commonly discarded as a myth.

The following conditions create an |abuser-friendly' environment with rapidly growing opportunities for misuse: proliferation of micro and personal computers; easier and faster accessibility of computer (main frame) systems: rising compete literacy, dependence and complexity; lack of sufficient controls, enforcement, appropriate laws and (ethical) perceptions by perpetrators; complacent management; lenient courts, and an indifferent public.

It is no longer possible for top management to conveniently delegate the problem to data processing managers, since it has become part of a larger complex of problems within the context of the organization as a whole.

Computer security can never be complete or absolute, so some level of risk has to be accepted.

Measures Against Computer Crimes

The possible countermeasures in general terms include among others the following:

Introduction of preventative measures; educational and awareness programs; and improved standards. Some of these standards include: meaningful security policies, procedures and approvals, clarifying responsibilities, screening employees, restricting working station access, backup, storage and media protection, and the signing of a security acknowledgment by all employees involved.

Prevention by technical security measures, aimed at hardware, input facilities, software, data and signal transmission lines.

A security computer service firm should be consulted. Such companies offer general support, educational, technical, audit or special services (Davis, 1985) that fit the exact needs of the client, such as measuring or monitoring security performance. The daily fees charged vary roughly between $3,000 and $18,000 per day, monthly membership fees between $1,000 and $8,000, and disaster notification fees per incident between $0 and $30,000 (Scoma, 1985).

All such measures should be introduced and maintained at an acceptable level in a user-friendly manner. Employee goodwill and productivity will decline if security is perceived as overpowering, imposing and restrictive, promoting depersonalization and inhibiting creativity.

Security measures should reflect the fact that there is a much higher probability of misuse by the trusted insiders than by hackers, ex-employees or competitors.

Jyoti N. Prasad is Associate Professor of Management, the Lumpkin College of Business, Eastern Illinois University. Yunus Kathawala is Chair and Professor, Computer and Operations Management, the Lumpkin College of Business, Eastern Illinois University. Hans J. Bocker is Resident Editor of Finanz Und Wirtschaft, London. David A. Sprague is Chair and Professor in the Department of Management, Central Michigan University.
COPYRIGHT 1991 Institute of Industrial Engineers, Inc. (IIE)
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1991 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Prasad, Jyoti N.; Kathawala, Yunus; Bocker, Hans J.; Sprague, David
Publication:Industrial Management
Date:Jul 1, 1991
Words:4124
Previous Article:Ritual in business: building a corporate culture through symbolic management.
Next Article:Becoming competitive through design for manufacturing.
Topics:


Related Articles
The pivotal role in computer security.
Keeping the contagion at bay.
Computer crime categories: how techno-criminals operate.
Overcoming obstacles: preparing for computer-related crime.
Computer crime: an emerging challenge for law enforcement.
Internet security: perceptions and solutions.
Cyber-crime on the rise.
Making Computer Crime Count.
Confronting cyber-crime.

Terms of use | Copyright © 2016 Farlex, Inc. | Feedback | For webmasters