3   Founded By:    3 :  Network Information Access   : 3   Founded By:    3
  3 Guardian Of Time 3D:            12APR90            :D3 Guardian Of Time 3
  3   Judge Dredd    3 :       Guardian Of Time        : 3   Judge Dredd    3
           3           HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM<           3
                :           Section I -- Introduction           :


There will be at least ten files on the subject of Computer Crime, I have
tried to get people to show us just what we can,  the ideas that are being
taught to managers, are simple, and crude.  You have seen in the first few
files of NIA, just HOW SIMPLE are the techniques? Well here in this
section will be a Governmental view of Computer Crime.

                                                Guardian Of Time


The "Dawn of the Age of Aquarius" has also ushered in the "Age of the
Computer." It is no secret that computers have become indispensable to
almost every form of modern business and government.  The rapid expansion
of computer use has created an electronic marketplace where goods and
intellectual products are transferred and paid for entirely by electronic
means.  Computers have also created a new method of storage and
representation of assets through electronic data processing systems that
record everything from bank balances to shares of securities.  The use of
computers has even advanced to the stage where electronic signatures can
be given unique characteristics making them more easily identifiable and
reliable than human handwriting in many respects.

The new form of assets consists of pulses of electricity, states of
electronic circuits, and patterns of magnetic areas on tape and disks.
The pulses can be converted to the form of checks by a computer printer or
to monetary currency by computer-printed reports that authorize cashiers
to transfer cash from boxes to people or to other boxes.  The pulses can
also be converted to printed reports or mechanical functions that cause
actions either manually or automatically involving goods and services.
These negotiable assets, as well as personal information, now are stored
as data in computers, saved on magnetic tape and disks, and sent through
wires and microwave carriers in electronic, electromagnetic wave, and
magnetic forms.

The creation of these new forms of assets, however, has been accompanied by
an increase in the potential for misuse of computers and computer data.
Some of the people who create and work with computer products have the
capability to alter or delete assets stored in computers or to create
totally new assets.  The security of these assets, as well as other data
stored in computers, is vital.  In this document, computer security
encompasses the integrity, preservation, authorized use, and
confidentiality of data starting with its generation, through its entry
into computers, automatic and manual processing, output, storage, and
finally its use.

One of the primary motives for computer security is protection from
intentionally caused loss.  Computer crime is highly publicized and its
nature frequently distorted in the news media.  Although there are no
valid representative statistics on frequency or loss, enough loss
experience has been documented (more than 1000 reported cases since 1958)
and even more conjectured to make it clear that computer crime is a
growing and serious problem.  Broadly defined, known experience indicates
a high incidence of false data entry during manual data handling before
computer entry.  Most losses of this kind are small, but several large
losses of $10 to $20 million have occurred.  Unauthorized use of computer
services has also prolifereated, especially with increasing use of dial-up
telephone access to computers.  A few sophisticated programmed frauds
inside computer systems or using them as tools for frauds have been found
where detection was mostly accidental.  Reported computer crime is
committed mostly by people in positions of trust with special skills,
knowledge and access.  The results of known experience indicate the need
for a wide range of basic controls that reduce the likelihood of violation
of trust by these people.  Many of these controls that reduce the
likelihood of violation of trust by these people.  Many of these controls
are represented in this report.


Although computer security has always been needed, even before computers,
interest in it became widespread only after computers came into use,
especially for processing financial and personal data.  Computers
facilitate the great concentration of data for powerful means of
processing, and for the first time since the days of manual data
processing computers, provide an opportunity to apply computer security in
effective, uniform, and low-cost ways.  At the same time computer use
increases the dangers of large losses from the conentration of intangible
assets in electronic forms and changes the nature of exposures to losses
with assets in these new forms.

Use of computers changes the patterns and degree of trust put in people
who work with data.  New occupations staffed by fewer, technology oriented
people, each with greater capacity to do good or harm using computers as
tools have emerged.  There is now one computer terminal for every three
white-coller workers.

Computers remove processing and storing of data in their electronic form
from direct human observation.  Thus, computer programs that direct the
processing of data whose integrity and correctness must be assured are
necessary tools to see the results of data processing and check the
correctness of data stored in computer media.  The procedures by which
data are processed and stored are created by programmers at a different
time and place than when the actual processing occurs.  Processing takes
place so rapidly as to be incomprehensible to humans until it is complete,
and intervention is impossible except in preprogrammed ways that where
developed without the possibility of foreseeing all future conditions and

Organizations that use or provide computer services for governmental and
business purposes have a responsibility to the users, data subjects,
managers and employees, as well as society, to assure computer security in
legal, economic, and ethical terms to avoid loss to themselves and others.
Thus, contractual commitments that specify trade secret protection of
commercial computer program and data file products require that users of
the products apply safeguards.  Top management, of course, wants to
continue the success of their organizations and avoid data-related losses.
Data processing employees abide by the computer security policies and
procedures to please management and receive advancements in their jobs.
Society demands responsible treatment of data, the US government, for
example, has attempted to obtain voluntary adherence by business to the
Organization for Economic Cooperation and Development Guidelines on
Protection of Privacy and Transborder Flows of Personal Data.  In
addition, professional societies and trade associations apply peer
pressure to meet ethical standards.

Data-related losses from errors, omissions, bad judgment, intentional
acts, and natural events motivate the victims to avoid further loss.  Some
controls on loss result in more efficient data handling, reduced insurance
premiums, and lower costs.  Compliance with laws and regulation such as the
Privacy Act of 1974, Foreign Corrupt Practices Act, criminal statutes, and
the US Office of Management and Budget Circular A-71 on Computer Security
is required for an orderly society.

All of these factors and more must be taken into account in planning and
establishing computer security.  Dangers lurk not where losses have been
anticipated and good controls exist but where vulnerablities have NOT been
anticipated and controls are lacking.  Systematic methods are needed to
assure completeness of safeguarding with limited resources that can
resonably be devoted to protection in the complex and changed environments
of data processing brought about by the use of computers.


Management is eager to allocate resources that directly increase the
productivity of their organizations.  Security seldom adds directly to
productivity; it only assures protection from loss of productivity and
avoids violation of rights, laws and regulations.  Therefore, security
might have occurred.  If security is effective, it usually goes unnoticed
because loss is averted.  Otherwise, security is sometimes seen as costing
money without visible, direct contributions to performance.  This makes
security expenditures particularly important to justify and understand.

Fortunately, enlightened management will react rationally to assure
security in their organizations when given resonable options and adequate
justification for doing so.  Employees will support and carry out security
when they understand its purpose, receive clear directives, understand
that it is part of their job performance, and are judged on their
adherence to secure practices.  Therefore, recommendations for
cost-effective controls must be properly justified and generally accepted.

Methods for conducting security reviews based on risk assessment to
determine vulnerabilities and identify needed controls have been developed
and used to some extent.  However, many controls are still selected on a
piecemeal basis when individual needs become evident without comprehensive
review of all needs.  This leads to inconsistent security buildup that
leaves serious vulnerabilities and gaps.  Security must be mesasured by
the weakest links; losses occur where adequate controls are lacking.
Therefore, methods of review must be developed that are comprehensive as
well as sufficiently practical and low in cost to attract their use.

Data processing and computer security have advanced rapidly to the point
where organizations today do not take action in isolation from what other
organizations are doing.  Many organizations have adopted the solutions to
common vulnerability problems developed by others.  Applying generally
used security practices and controls is attractive where the problems and
needs are similar among many organizations.


The study results reported in this document are meant to add materially to
new concepts in computer security.  The computer security practices and
controls presented here are those used or endorsed by seven organizations
that are particularly advanced in their computer security.  In addition,
the organizations were chosen from among those heavily involved in
manipulating personal data to emphasize the application of security to
issues of privacy.  Thus, several of the organizations are processors of
crimminal justice data and one is a processor of life and medical
insurance.  The seven participating field site organizations are:

(1)     A state law enforcement data center
(2)     A county EDP services department
(3)     A city data services bureau
(4)     A research institute specializing in criminal justice research
(5)     A life and casualty insurance company
(6)     A center for political studies, which does extensive research on
        sensitive topics linked to individuals
(7)     A state information services department.

A project team of experienced computer security consultants examined the
seven field site organizations to determine the best controls and
practices in use, as well as the methods of review and selection of
controls and practices that organizations use.  This document describes
the 82 controls and practices that were judged as generally acceptable for
good computer security by computer security administrators from all seven
organizations along with two independent security consultants.

In Section II of this report, the background and maturation of computer
security methods, particularly as a basis for new approaches to
evaluating and selecting controls, are described.  Common, selective, and
special vulnerabilities are identified.  Section III describes presently
used security review methods and the legal concepts of standards of due
care and protecting proprietary interests in computer programs which
contribute to computer security practices and the law.

Section IV, along with more detailed descriptions in Appendix B, presents a
new, baseline concept that can be used along with other methods for
selecting controls and security practices.  The principles and benefits of
baseline controls are stated and future baseline development is

Section V explains the method of investigation, the format used to
describe the controls found in the study, and the five indices of the 82
controls that are described in the last section.  The five indices are
identified by topic, objective, area or responsibility, mode, and
environment to facilitate location of specific controls.  An overview
summarizing the controls by topic completes Section V.

In Section VI, the controls are presented in ways quite different from
that found in other security literature.  A title, control objective, and
general description based on actual usage experience are presented.  The
control variants are identified.  Strengths and weaknesses found in usuage
are stated.  These items are followed by  advice on how to audit the
controls, and five more characteristics are briefly identified to complete
the description.  Appendix A presents three case studies of actual
selection and approval of controls and a step-by-step method of how a
baseline review could be conducted.