%% N.I.A. %%
%% Network Information Access %%
%% 02MAR90 %%
%% Lord Kalkin %%
%% File #3 %%
:_Computer Crimes/Fraud/Waste part 1
:_Written/Typed/Edited By: Lord Kalkin
1. COMPUTERS: CRIMES, CLUES, AND CONTROLS
The Information Age has brought aboout dramatic improvements in
way the Federal goverment does its job. For making descisions,
more and better information is available more quickly to more
people than ever before. Statistics computations that once took
weeks, now takes minutes. And analyses that once required numerous
programmers, a computer operator, and a large computer facility may
now need only a nontechnical staff using software packages on
desktop computers in their office.
The General Service Administration estimates that Federal
agencies will acquire half a million small computers by 1990. In
FY 1984, federal expenditures for micro and desktop computers
totaled $137 million. The comparable figure for FY 1983 was $34
million. And these statistics do not include computer terminals
that are part of large computer systems or word processors--many of
which can be used to store and manipulate data, as well as create
graphics. The Office of Management and Budget(OMB) estimates that
#13.9 billion was spent in FY 1985 to acquire, operate, and
maintain Federal information technology systems.
New management problems have accompanied the increase use
of computers and automated technology. Terminals, often connected
to computers that are networked together, can access vast
quantities and different types of data. There are publicy voiced
concerns about privacy of information and the risks associated with
automating and making more accessable personal, proprietary, or
other sensitive data. These are serious concerns about increased
computer crimes, waste, and abuse which result in such costly
problems as improper payments from govermant benifit programs and
unnecessary equipment purchases. And there is the clear
recongition that information is a resource to be protected.
The responsibility for protecting information resides with
the end user manager. This responsibility is acknowledged in OMB
circular A-130, MANAGEMENT OF FEDERAL INFORMATION RESOURCES:
"Agencies shall make the official whose program an
information system supports responisble and accountable for the
products of that system..."
"Because end user computing places management of
information in the hands of the individual agency personnel rather
than in a central automatic data processing organization, the
Circular requires that the agencies train end users in their
responsibilities for the safeguarding information"
This document is designed to provide information security
awareness training for the end user manager. Security awareness
training acquaints systems, controls, and techniques that enhance
information security and with resources available for additional
"YOU'VE GOT TO CONSIDER YIELD. IT'S $19,000 PER BANK
ROBBERY AND $560,000 PER COMPUTER CRIME!"
Computer crime is a growth industry -- and so are computer
waste and abuse. Some estimates peg the increase of computer crime
at 35 percent annually and the cost $3.5 billion. One obvious
reason is the potential payoff: the average computer crime yields
an estimated $560,000; the average bank robbery, $19,000.
The computer criminal is less likely to get caught than the
bank robber -- and less likely to get convicted if caught.
Estimates of detected computer crimes are as low as 1 percent. And
the liklihood of a criminal conviction for computer fraud is less
than 1 in 10.
Deliberate computer crime is a significant part of the
picture. But wasteful and abusive practices, accidents and errors
are an even larger part. In the succint words of one noted
expert, " We bumble away far more computer $s than we could ever
steal." Those bumble dollars -- combined with the estimate of $3.5
billion annual cost of computer crime -- underscore the scopes and
seriousness of computer related losses.
A major contributor to computer related loss is the lack of
security awareness. Security awareness can stop accidents and
errors, promote adequate information security controls, prevent and
detect the wouldbe computer criminal. End User awareness of
securtiy controls provides four levels of protection for computers
and information resources:
SECURITY CONTROLS: FOUR LEVELS OF PROTECTION
Prevention -- Restricts access to information and
technology to authorized personal only;
Detection -- Provides for early discovery of crimes and
abuses if prevention mechanisms are
Limitation -- Resticts lossess if crime occurs despite
prevention abd detection controls; and
Recovery -- Provides for efficient information recovery
through fully documented and test contigency
Yesterday, managing technology was the technical manager's
concer. Today, managing information is every nontechnical end user
manager's concern. Managing information requires new knowledge and
new awareness by a new group of nontechnical employees. Good
information management requires recongizing opportunities for
computer crime and waste so that steps can be taken to prevent
When Computers were first introduced, few were available
and only a small number of persons were trained to use them.
Computers were usually housed in seperate, large areas far removed
from programm managers, analysts, economists, and statisticians.
Today that is changed. Word processors, computer terminals, and
desktop computers are as common equipment. This electronic
equipment is rapidly becoming increasingly user-friendly so that
many people can quickly and easily learn how-to use it.
Employees with access to computer equipment and automated
information are greatly increasing throughput the organizational
hierachy. The GS-4 secretary, the GS-9 budget analyst, the GS-12
program analyst, the GS-13 statician, the GM-14 economist, and the
Senior Executive Service Manager may have all the access to a
computer terminal or word processor and the information it contains.
No longer is information restricted to select few at the
highest levels of an organization. This phenomenon has led
computer crime to be called the "democratization of crime." As
more people gain access to automated information and equipment, the
opportunities for crime, waste, and abuse likewise increase.
It's Difficult to Generalize, But...
- Functional end user, not the tecnical type and
not a hacker
- holds a non-supervisory position
- no prevoius criminal record.
- bright, motivated, desirable employee
- works long hours; may take few vacations
- Not sophisticated in computer use
- The last person YOU would suspect
- Just the person YOU would want to hire
THE COMPUTER CROOK CAN BE ANYONE
The typical computer crook is not the precocious hacker who
uses a telephone and home computer to gain access to major computer
systems. The typical computer crook is an employee who is a
legitimate and nontechnical end user of the system. Nationally,
employee-committed crime, waste, and abuse account for an estimated
70 to 80 percent of the annual loss related to computers.
Dishonest and disgruntled employees cause an estimated 20 percent
of the total computer system related loss. And they do so for a
variety of reasons.
WHY PEOPLE COMMIT COMPUTER CRIME
- Personal or Financial gain
- Personal Favor
- Beat the system, Challenge
But a significantly lager dollar amount, about 60 percent
of the total computer-related loss, is caused by employees through
human errors and accidents. Preventing computer losses, whether
the result of debliberately committed crimes or unknowingly caused
waste, requires security knowledge and security awareness. A
recent survey reported that observant employees were the primary
means of detecting computer crime.
CLUES TO COMPUTER CRIME ABUSE
Be on the look out for...
- Unauthorized use of computer time
- Unauthorized use of or attempts to access data files
- Theft of computer supplies
- Theft of computer software
- Theft of computer hardware
- Physical damage to hardware
- Data or software destruction
- Unauthorized possession of computer disks, tapes
This is a beginning list of the kinds of clues to look for
in detecting computer crime, waste, and abuse. Sometimes clues
suggest that a crime has been committed or an abusive practice has
occured. Clues can also highlight systemn vunerabilities --
identify where loopholes exist -- and help identify changes that
should be made. Whereas clues can help detect crime and abuse,
conrols can help prevent them.
Controls are management-initiated safeguards -- policies or
administrative procedures, hardware devices or software additions
-- the primary mission of which is to prevent crime and abuse by
not allowing them to occur. Controls can also serve a limitation
function by restricting the losses should a crime or abuse occur.
This document addresses information security into three
areas: Information Secrurity, Physical Security, and personnel
security. In each area, crimes, clues, and controls are
discussed. In these areas not only frauds, but abuses and waste
are addressed. The final chapters provide a plan of action and
cite availably security resources.
N.I.A. - Ignorance, There's No Excuse.
Founded By: Guardian Of
[OTHER WORLD BBS]