%%               N.I.A.                %%
                 %%     Network Information Access      %%
                 %%              03MAR90                %%
                 %%            Lord Kalkin              %%
                 %%              File #4                %%

:_Computers: Crime, Fraud, Waste Part 2
:_Written/Typed/Edited By: Lord Kalkin
:_Information Security

                        2. INFORMATION SECURITY

        What was called computer security in the 1960s and data
security in the 1970s is today more accurately called information
security.  Information security underscores the value of
information in today's society -- the recongition that information
is a valuable resource, that it is more than discrete data elements.

        Information security refers to the controls that protect
information from unauthorized access, destruction, modification,
disclosure, and delay.  Information security addresses safeguards
in the processes of data origination, input, processing, and
output.  The goal of information security is to safeguard the
system's assets, to protect and ensure the accuracy and integrity
of information, and to minimize the damage that does occur if the
information is modified or destroyed.  Information security
requires accountability for all events that create, modify, provide
access to, or disseminate information.

        Information security provides assurances that the following
are achieved:

        - Confidentiality of sensitive information;
        - Integrity of information and the related process
          (origination, input, processing, and output);
        - Availability of information when needed; and
        - Accountability of the related information processes.

        Some techniques to protect the system and provide
accountability can be built into the computer.  Others can be built
into the software.  Still others are dependent upon management
policies to define appropiate procedures to be followed.  Deciding
upon the level of sophistication of accountability techniques for a
system requires identifying the sensitivity of the information and
then determining the appropiate level of security.

        This document addresses sensitive data as defined in OMB
Circular A-130, Management of Federal Information Resources:

                The Term "sensitive data" means data that require
protection due to the risk and magnitude of loss or harm that could
result from the inadvertant or deliberate disclosure, alteration,
or destruction of the data.  The term includes data whose improper
use or disclosure could adversly affect the ability of an agency to
accomplish its mission, proprietary data, records, about
individuals requiring protection under the Privacy Act, and data
not releasable under the Freedom of Information Act.

                    CRIMES, ABUSES, AND WASTE

        A survey of goverment agancies identified techniques used
in committing computer-related fraud and abuse.  Few of these
frauds and abuses involved destruction of computer equipment or
data.  Only 3 percent of the frauds and 8 percents of the abuses
involved willful damage or destruction of equipment, software or
data.  Most of the fraud and abuses cases involved information --
manipulating it, creating it, and using it.


        Computer-Related Fraud
                1. Entering unauthorized information
                2. Manipulating authorized input information
                3. Manipulating or improperly using information
                   files and records
                4. Creating unauthorized files and records
                5. Overriding internal controls

        Computer-Related Abuse
                1. Stealing computer time, software, information,
                   or equipment.
                2. Entering unauthorized information
                3. Creating unauthorized information fileas and
                4. Developing computer programs for nonwork purposes
                5. Manipulating or improperly using computer

           These techniques are often used in combination and are
identified in Computer-Related Fraud and Abuse in Goverment
Agencies, Department of Health and Human Services, Office of
Inspector General, 1983.

        Another way of looking at computer-related crime is to  examine
the types of crimes and abuses, and the methods used to commit them.
These include:

"Data Diddling" - Probably the most common method used to commit
             computer crime because it does not require
             sophisticated technical knowledge and is relatively
             safe.  Information is changed at the time of
             input to the computer or during output.  For example,
             at input, documents may be forged, valid disks
             exchanged, and data falsified.

"Browsing" - Another common method of obtaining information which can
             lead to crime.  Employees looking in others' files have
             discovered personal information about coworkers.  Ways to
             gain access to computer files or alter them have been found
             in trash containers by persons looking for such information.
             Disks left on desks have been read, copied, and stolen.
             The very sophisticated browser may even be able to look for
             residual information left on the computer or on a storage
             media after the completion of a job.

"Trojan Horse" - This method assumes that no one will notice that a
             computer program was altered to include another function
             before it was ever used.  A computer program with a
             valid, useful function is written to contain additional
             hidden functions that exploit the security features of
             the system.

"Trap Door" - This method relies on a hidden software or hardware
             mechanism that permits system protection methods to be
             circumvented. The mechanism is activated in some
             nonapperent manner.  Sometimes the program is written so
             that a specific event, e.g., number of transactions
             processed or a certain calender date, will cause the
             unauthorized mechanism to function.

"Salami Technique" - So named because this technique relies on taking
             slices so small that the whole is not obviously affected.
             This technique is usually accomplished by altering a
             computer program.  For example, benefit payments may be
             rounded down a few cents and these funds, which can be
             considerable in the aggregate, diverted to a fraudulent

"Supperzapping" - Named after the program used in many computer centers
             which bypasses all system controls and is designed to be used
             in time of an emergency.  Possession of this "master key"
             gives the holder opportunity to access, at any time, the
             computer and all of its information.

        Examples of Compuer-Related crimes, abuses, and waste include:

        - A payroll clerk, notified of a beneficiary's death, opened a
          bank account using the beneficiary's name and social security
          number. The beneficary was not removed from the computer
          eligibility lists, but a computer input form changed the
          address and the requested direct deposit of benefits to the
          payroll clerk's new bank acount.

        - A major loss occurred with the diversion of the goverment
          equipment.  Fictitious requisitions were prepared for routine
          ordering at a major purchasing centor.  The rquisitions directed
          shipment of communications equipment to legitimate private
          corporations holding goverment contracts.  Just prior to the
          delivery date, one of the conspirators would call the corporation
          to alert them of their "error" and arrange "proper" delivery of
          the equipment to the conspirators.

        - Three data clerks, using a remote terminal, entered phony
          claims into the computer to recieve over $150,00 in benefits
          and then deleted records of these transactions to avoid being

        - Thefts of information commonly involve selling either
          personnel information, contract negotiation information
          ( e.g., contract bids), and company proprietary information
          (e.g., product engineering information ) for outside commercial
          use, or copying or using software programs for personal or
          personal business use.

        The following clues can indicate information security

        1. Security policies and practices are nonexistant or not
           followed.  No one is assigned responsibility for information
        2. Passwords are posted nest to computer terminals, written in
           obvoius places, shared with others, or appear on the computer
           screen when they are entered.
        3. Remote terminals, microcomputers, and word processors are
           left on and unattended during work or nonwork hours.  Data
           is displayed on unattended computer screens.
        4. There are no restrictions on users of the information, or on
           the applications they can use.  All users can access all
           information and use all trhe system functions.
        5. There are no audit trails, and no logs are kept of who uses
           the computer for which operation.
        6. Programming changes can be made without going through a
           review and approval process.
        7. Documentation is nonexistant or inadequate to do any of the
           following: understand report definitions and calulations;
           modify programs; prepare data input; correct errors;
           evaluate system controls; and understand the data base
           itself -- its sources, records, layout, and data relationships.
        8. Numerous attempts to log on are made with invalid passwords.
           In dialup systems -- those with telephone hookups -- hackers
           have programmed computers to do this "trial and error" guessing
           for them.
        9. Input data is not subject to any verification or accuracy
           checks, or, when input data is checked:
               -- more data is rejected;
               -- more data adjustments are made to force
                  reconciliation; or
               -- there is no record of rejected transactions.
        10. There are excessive system crashes.
        11. No reviews are made of computer information to determine the
            level of security needed.
        12. Little attention is paid to information security.  Even if
            an information policy exists, there is a prevailing view
            that it really is not needed.


 1. Control access to both computer information and computer
applications.  Ensure only authorized users have access.

        User Identification:

        Require users to log on to the computer as a means of initial
identification.  To effectively control a microcomputer, it may be most
cost-effective to u>

Transfer interrupted!