Reading: Security and Social Issues

Security Within the Organization

Security risks within an organization include the processing

of fraudulent transactions, unauthorized access to data and
program files, and the physical theft or damage of
equipment.
Fraud
Computer fraud is increasing at an alarming rate. Fraud can
be defined as the manipulation of the records of an
organization to conceal an illegal act (normally the theft of
funds or other assets). Computers can make it easy for
employees in particular to defraud the organization, in
particular when the level of security and internal control is
lax. In manual systems, a common control to limit fraud is to
involve two or more people in a process, each one
effectively controlling the activities of the others. We call this
control process separation of duties. For example in a
payroll system one might give an individual the authority to
approve increases, another the task of updating the
computer and the third the responsibility to distribute funds
to employees. Without collusion between them, it would be
difficult for any one of these individuals to steal funds from
the payroll system and hide his tracks. Unfortunately, in
many computer systems, too many separate functions have
been computerized and often there is a single clerk
responsible for running the entire payroll process. In these
situations, anyone who has access to the application can
take the opportunity to commit fraud. The most common
fraud tactics are:
• Entering fictitious transactions. Most frauds are committed
by employees using the system in the normal way to
enter fictitious transactions. No special technical
knowledge is required and the employee relies on the
 fact that management supervision of the process in
weak.
• Modification of computer files. Normally requires a little
more technical expertise as this would involve, for
example, the increase or reduction of amounts held on
the master file, which cannot be changed within the
application without an appropriate transaction (such as
a payment).
• Unauthorized changes to programs. This type of fraud is
usually limited to staff with programming expertise. A
common example is the skimming or salami technique.
In a payroll system this would entail deducting a small
amount from each individual salary cheque and adding
the total to a select individual’s payment. The secret
behind this technique is that employees are unlikely to
notice a change in their salary (PAYE and other
deductions often cause regular variation in the total)
and the total payroll will balance (the total amount being
paid is the same.)
How does an organization limit fraud? Experts suggest a
three-pronged attack. Firstly the organization must stress the
need for honesty and ethical behavior in all business
activities. Managers must lead by example, new employees
must be screened and staff training must support this theme.
The second concern is the level of opportunity in the
organization to commit fraud. There must be strong internal
controls, separation of duties, restricted access to sensitive
applications and constant management supervision. Audit
trails are used to record the origin of every transaction, and
sequential numbering ensures that records cannot be
deleted or reports destroyed. Finally, where a case of fraud
is discovered, action must be taken against the offender.
Many organizations prefer not to prosecute employees
suspected of fraudulent behavior because of the negative
publicity they will receive in the press. This in itself
encourages criminals to repeat the activity in their new
working environment knowing the likelihood of punishment is
remote.
Unauthorized Data Access
Password protection is the most common method of
protecting corporate data. Nevertheless, fraudulent
transactions are often carried out by unauthorized users who
manage to gain access to the corporate network by using
the login details of another user. One way of achieving this is
through a terminal spoof—a simple yet effective approach to
finding other user’s passwords. A terminal spoof is a
program that runs on a machine and looks like the normal
login screen. Once a user has given his or her user-ID and
password, the terminal spoof will record both on the local
disk or server, give what looks like an authentic error
message (such as invalid password—please re-enter) and
then passes control to the real login program. The criminal
will pick up the passwords later to gain access to the system
masquerading as the unfortunate victim.
Other criminals simply make use of an unattended computer
that has been left on by a user who has logged in to the
network and then left the office. Time-out or screen-saver
programs with password protection provide a simple barrier
to this approach In addition, locked doors are a traditional
means of excluding undesirable visitors.
Other dangers of which managers should be aware include
the Trojan horse, in which code is added to a program,
which will activate under certain conditions. For example, a
computer consultant in Johannesburg had a client in Durban.
He placed a Trojan horse in the payroll program so that it
would malfunction while processing the June payroll. They
would fly him down, all expenses paid, to fix the problem and
stay for the Durban July horse race. Once this had
happened for the third time, another consultant was used
who uncovered the offending code.
Another risk is the Back-door technique. When programmers
are building systems, they may try to bypass all the access
security procedures to speed up the development time. In
some cases, these “back doors” have not been removed and
the programmer can gain illegal entry into the production
system.
Sabotage and Theft
When computers were the size of small houses and hidden
in secure computer installations, then theft of computer
hardware was rare. Today, PCs are on most desks and in
many cases they have to be physically bolted to the table to
prevent their disappearance. One famous case of theft
involved a laptop computer stolen from the back seat of a
car in the USA in early 1991. On the hard disk was the
master plan for Desert Storm, the details of how the United
States and her allies would attack Iraq.
Mobile computing devices are especially vulnerable to theft,
and limiting of physical access to equipment is the most
effective first line of defense. Restrictions to entry can be
based on electronic locks, activated by means of magnetic
disks or swipe cards, or on advanced biometric devices that
identify the individual based on characteristics such as
fingerprints or the pattern of the retina. (In each case, the
security mechanism would obviously be linked to a database
containing details of authorized users.)
Another form of theft relates to the copying of programs and
data resources in an organization. Obtaining customer lists
together with the details of the amount and type of business
can obviously assist companies to encourage customers
away from their competition. Theft of software is a major
problem in the PC world where users often make illegal
copies of the programs rather than purchase the package
themselves – this practice is known as software piracy. This
type of theft is more difficult to identify, since the original
product has not physically disappeared as with the theft of
computer hardware. Where software piracy is discovered,
the owner of the computer on which the software resides
(often the employer) is held to be legally responsible for the
presence of pirated software.
The last category of computer theft covers the illegal use of
computer time. In the past computer operators were often
caught processing work for third parties or users were doing
their own work at the office. Computer hackers spend their
time searching for networks to which they can gain access.
Having breached the security controls, they often browse
around the databases in the installation but may not do any
damage. In these instances, the only crime they can be
charged with is the theft of computer time.
Security Beyond the Organization
Hackers and Firewalls

Hackers are users from outside the organization, who

penetrate a computer system usually through its
communication lines. Although some hackers are content
merely to demonstrate that they have bypassed network
security, there is a high risk of malicious damage to data,
stealing of sensitive information (such as customers’ credit
card numbers) or entry of fraudulent transactions by the
hacker. Hackers may also instigate a denial-of-service
attack, in which a targeted web site is inundated with
requests for information initiated by the hacker, rendering it
inaccessible for genuine business customers.
A firewall is an additional system that enforces access
control policy between two networks, especially between a
corporate network and the Internet. The firewall monitors all
external communications, checks user authorization and
maintains a log of all attempts to access the network. They
can also be used to check for the presence of viruses, for
the downloading of unauthorized software, and to guard
against denial-of-service attacks.
 Click on the image for a larger view.
Data which is in the process of being communicated is also
vulnerable to eavesdropping. Encryption, which scrambles
data into an unreadable form, can be used to improve data
privacy and prevent any unauthorized changes to the
message, as well as protecting the confidentiality of data
within the organization.
Viruses
A computer virus is a program that invades a computer
system, normally by residing in corrupt files. The virus has
the ability to replicate itself and so spread to other files and
computer systems. Some viruses are benign and merely
advertise their presence, but others corrupt the files they
infect and even destroy entire databases.
There are three main types of viruses. The original viruses
were mainly systems viruses. They resided in the boot
sector of a disk (the first place the computer looks when
loading the operating system) or in the operating system
utilities. These viruses were usually easy to find and clean.
One problem was that they loaded into memory as soon as
an infected machine was switched on and could often hide
themselves from the anti-viral software.
The next generation of viruses attached themselves to
executable files. When an infected program is run, the virus
resides in memory and infects all new programs run until the
system is switched off. These viruses are difficult to counter,
especially on a network as common files are often infected.
Even when the file server is cleared of infected programs,
users have copies on their personal hard drives, or a
infected copy of the program in memory when the virus
check is performed on the server.
One area most users with which felt safe was the accessing
of non-executable files such as word processing documents.
Unfortunately there are now a number of macro viruses that
can attach themselves to documents and spreadsheets.
Even receiving a simple letter as an e-mail attachment can
infect your machine. Some of the more well known viruses
include:
• Michelangelo. This virus infected many machines in the
early months of 1992. The virus was primed to activate
on Michelango’s birthday (6th March) and had the
capability of destroying all files on the hard disk of
infected PC’s. News of the virus made headlines and
many businessmen and home users rushed out to
purchase programs to check and clean viruses from
their installations. On the day, some infections did occur
but the main winners were the vendors of virus
detection software.
• Stoned. A very common virus in the late 1980s it came in
many forms, some harmless while others corrupted files
by attacking the directories and allocation tables. The
main theme of the virus was to legalize the smoking of
cannabis and normally the message “Your PC is now
Stoned” would appear on the screen.
• Jerusalem. Deletes all programs that are run on Friday
13th.
• Concept. A macro virus, attached to word processing
documents.
• EXEBUG. A nasty little bug that may corrupt your hard
drive. This is a systems virus and can infect the CMOS
of your PC. Very difficult to find and eradicate as it uses
“stealth” technology to hide from virus checkers.
With increasing globalization and interorganizational
communications, viruses are able to spread faster and
further than ever before. Recent examples include Melissa,
ILoveYou, and the Nimda virus, which make use of multiple
methods of transmission. The real mystery about viruses is
why they exist at all. Some experts suggest that computer
hackers are motivated by the challenge of “beating the
system” by writing programs that can bypass virus protection
systems and take control of each individual machine. A more
likely motive is to induce computer users to purchase legal
copies of software. The only real winners in the new world of
computer viruses are the companies selling computer
software.
In the early 1980’s the illegal copying of PC software, or
software piracy was rife as there was no real business
advantage to purchasing the software (except a copy of the
official reference manual). Today it is estimated that about
50% of the PC software used in the USA has been illegally
copied and the situation in South Africa is likely to be worse.
One of the major motivations for buying software rather than
copying from a friend is that the shrink-wrapped product is
guaranteed to be virus free.
The best line of defense against viruses is the regular use of
up-to-date anti-virus software, which will scan files for
viruses and remove them if found.