3   Founded By:    3 :  Network Information Access   : 3 Mother Earth BBS 3
  3 Guardian Of Time 3D:            17APR90            :D3  NUP:> DECnet    3
  3   Judge Dredd    3 :       Guardian Of Time        : 3Text File Archives3
           3           HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM<           3
           3            IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM;           3
                        :   Section II - Background    :

Here is Section II of VI Sections that talks in some detail about Computer
Crime,  and also sights actual court cases, which may be of some help to

                          SECTION II - BACKGROUND


Although computer security has been an important requirement in the
military since computer use began, it has been only explicitly recognized
in nonmilitary government and business since the late 1960s.  The 1967
American Federation of Information Processing Societies, Spring Joint
Computer Conference session, "Security and Privacy in Computer
Systems" chaired by Dr.  Willis Ware of the Rand Corporation, generated new
interest in computer security.  Rapid development, stimulated by the
privacy issues and notorious computer crimes in the 1970s, has followed.
Formalized methods for evaluating the adequacy of security soon followed.

On July 27, 1978, the US Office of Management and Budget issued to all
agency heads the Transmittal Memorandum No.1  under Circular No.A-71 on
Security of Federal Automated Information Systems.  This memorandum
presents a comprehensive policy regarding establishment of computer
security programs in all nondefense computer centers.  It contains a
procedure for adopting security standards, a requirement for security in
all hardware and software procurements, plus guidance on security in all
hardware and software procurements, plus guidance on conducting risk
analyses, performing security audits, developing contingency plans, and
establishing personal security policies.  Various roles for the National
Bureau of Standards, General Services Administration, and Civil SErvice
Commission are specified.  This memorandum, a significant milestone for
computer security in the federal government, is a well-conceived document
worth of general use.


New approaches to reviewing, establishing the needs for, and selecting
computer security controls are emerging as concepts of computer security
mature.  Maturation is evident from the routine acceptance  of security
and from the type of controls typically used today at the seven sites
visited.  At present, the computer security field is characterized by:

:      General management recognition and support.

       Top management at the sites were interested enough in computer
       Security to fully cooperate with the project field teams.  Corporate
       and agency policies reflecting top management's concern have been

:      Established specialists in the subject area.

       Full-time security researchers and designers in computer science
       and technology are developing concepts of trusted computer systems
       that will be significantly more secure than current computers.
       Many consultants are active in the field.  Computer security job
       titles and positions have been developed, and hiring by these
       titles is practiced.

:      Appointment of full-time or part-time computer security officers in
       large,  well-run computer installations.

       The larger organization visited had full-time or part-time computer
       security officers.  National conferences on computer and computer
       security and privacy are currently drawing 700 to 800 computer
       security-rated specialists and administrators.

:      Computer security products available at resonable prices.

       Physical access control systems for computer centers, password
       access terminal systems, file access control computer programs,
       file detection and suppression equipment, cryptographic systems,
       audit program tools and uninterrruptible power supplies for
       continuous operation of computers are examples of resonable priced
       products ( see also Section VI).  In Addtion, the products'
       salesmen provide a new source of information and assistance for
       security practitioners.

:      A precedent-setting federal standard for cryptographic protection.

       The first federal information processing standard,  the Data
       Encryption Standard, was approved by the National Bureau of
       Standards and is used in more than 25 products.

:      Increasing numbers of effective controls found in well-run computer
       installations and well-designed systems.

       Section VI identifies 82 generally used controls based on field
       investigation of the seven computer sites.

:      Practice of formal security review methods.

       Task group reviews of computer centers are becoming more common.
       The US Office of Management and Budget requires that risk
       assessments be performed in all federal agency computer centers at
       least once every 3 years.  The National Bureau of Standards has
       published several reports on conducting risk assessments.

:      A body of information documenting loss experience.

       Conference proceedings, books, and trade journals include detailed
       descriptions of loss cases.  Mr. Donn B. Parker at SRI
       International, Professor Brandt Allen at the University of Virginia,
       The American Institute Of Certified Public Accountants, Mr.  Robert
       Courtney in New York, and Mr.  Jay Bloombecker in Los Angeles have
       extensive files of reported computer abuse and crime cases.

:      Laws and regulations requiring security.

       The Federal and State Privacy Acts, Foreign Corrupt Practices Act,
       16 state computer crime statues, and numerous regulations require
       or directly imply the need for controls.

:      Special insurance polices.

      Numerous insurance companies offer policies for protection against
      data processing business interruption, errors and ommissions, and

:      Numerous books, journals, news publications, and other writings on
       the subject.

       The National Bureau of Standards has published more than 40
       computer security reports.  The Bureau of Justice Statistics,
       Department of Justice, has published a series of manuals and guides
       on privacy and security.  At least four monthly commerical
       newsletters and journals, as well as many books on computer
       security, are published.

:     Specialized audit capabilities.

      The Institute of Internal Auditors published the SRI international
      Systems Auditability and Control Reports identifying 30 audit
      techniques and more than 300 controls.  EDP auditing has become an
      accepted specialty in audit, and EDP auditors are certified by the
      Institute of Internal Auditors and soon also by the EDP Auditors


Admittedly, some potential threats and assets subject to loss are
different from one computer center to another depending on organizational
characteristics and purposes.  Some vulnerabilities of a US Department of
Justice computer center will be different than a toy manufacturer's
computer center.  However, similar problems among even diverse kinds of
computer centers can lead to adoption of commonly used controls.  The
potential threats, the assets at risk, and the vulnerable facilities that
are similar among all computer centers include:

:  Potential Threats
   - Disgruntled or error-prone employees causing physical destruction and
     destruction or modification of programs or data.
   - Natural disaster such as fire, flooding, and loss of power and
   - Outsiders or employees making unauthorized use of computer services.
   - Outsiders or employees taking computer programs, data, equipment or

:  Assets Subject To Loss
   - Facilities
   - Systems equipment
   - People
   - Computer programs
   - Data
   - Data storage media
   - Supplies
   - Services
   - Documents
   - Records
   - Public respect and reputation.

:  Common Environments at Risk
   - Computer rooms containing computers and peripheral equipment
   - Magnetic media (tapes and disks) libraries
   - Job setup and output distribution stations
   - Data entry capabilities
   - Program libraries
   - Program development offices
   - Utility rooms
   - Reception areas
   - Communications switching panels
   - Fire detection and suppression equipment
   - Backup storage
   - Logs, records, and journals.

In addition to the vulnerabilities common to all computer centers, some
types of computer centers such as criminal justice operations, research
institutes, insurance companies, and banks have environments,
applications, and types of data that create similar potential threats and
types of asset loss.  The vulnerabilities endemic to subsets of similar
computer centers lead to the need for selective controls such as
separation or deletion of names from personal data, batch check summing of
inventory data and possibly data encryption.  Some examples of computer
applications and associated risks that are not common to all computer
centers are as follows:

:  Processing and storage of personal data
   - Intentional or accidental disclosure, modification, destruction or
     use of personal data or records of their use.
   - Violation of confidentiality rules, personal data regulations, or
     privacy laws.

:  Processing and storage of secret data (eg, investigative, intelligence,
   trade secret, marketing, competitive).
   - Intentional or accidental disclosure, modification, destruction, or
     use of trade secret or sensitive data or records.
   - Violation of rules, regulations, or laws.

:  Processing and storage of financial data (eg, account balances,
   negotiable instruments input/output, general ledger, accounts
   payable/receivable, payroll).
   - Financial fraud or theft.
   - Accidental financial loss such as lost interest.
   - Failure to meet financial report filing dates and other fiduciary

:  Process control (eg, controlling manufacturing processes,
   transportation, meal processing, inventory control, patient
   - Intentional or accidental modification, failure, or destruction of

In addition, special or unique problems can arise in a single computer
center where new technology is adopted and commonly used controls have not
yet emerged.  Examples of the new technology include voice data entry,
voice ouput, fiber optics communication, satellite data communications,
and automated offices.

Lastly, several potential sources of unusual threats requiring special
controls have been identified: a computer center built over a burning
underground coal mine, violent labor strife, a computer center in an
airport glide path, rodent or insect infestation, and contract programming
performed by prison inmates.


The process of identifying security needs and selecting and justifying
controls is called a security review when carried out in an organized set
of scheduled and budgeted tasks.  It is sometimes incorrectly called an
audit.  An audit implies independent review by auditors for top management
and owners of an enterprise to discover problems and lack of compliance with
law, regulations, and policy.

The security review method described below is based on identification of
assets, potential threats, and lack of controls.  A zero-based method, it
begins by assuming that potential threats and controls have not been
adequately addressed previously.  Its purpose is to comprehensively and
exhaustively identify problems in the form of specific vulnerabilities,
their risk, and compensating controls.  This approach is thoroughly
justified; losses tend to occur where effective controls are absent.


The usual method of security review often described in the literature and
in seminars includes combinations and various oderings of the following

(1)  Organize a task group to conduct the review; establish plans,
     assignments, schedules, budgets, and scope; obtain management
     approval and support of the plan.

(2)  Identify the assets subject to loss; either determine their value,
     consequences of loss, and replacement value or rank their importance.

(3)  Identify potential threats to the identified assets.

(4) Identify the controls in place or lack of controls that mitigate or
    facilitate the potential threats to the assets.

(5)  Combine associated potential threats, assets subject to loss, and
     lack of mitigating controls; each triple of items constitutes a

(6)  Evaluate and rank the vulnerabilities in terms of greatest to least
     expected potential loss; alternatively quantify risk for all or only
     the major vulnerabilities in terms of annual frequency of loss and
     single case loss in dollars to obtain annualized loss exposure.

(7)  Identify actions and controls that would reduce the risks of losses
     to acceptably low levels.

(8)  Recommend an implementation plan to reduce risk to an overall
     acceptably low level.

(9)  Carry out the plan and establish ongoing security maintenance and

Several steps may be combined or overlapped for task group operating
efficiency.  Various methods such as use of questionnaires and loss and
frequency data forms or scenarios can aid in accomplishing the tasks and
documenting the results.  Some steps may involve a high volume of data to
warrant use of computer-aided methods.  For example, quantified risk
assessment requires expected frequency of loss and dollar value of single
incident loss from both intentional and accidental modification,
destruction, disclosure, use and denial of use (for various periods of
time) for all computer-related threats and assets.

In practice, however, the formalized review approach is rarely taken, or
only severely limited versions are adopted.  More likely, only piecemeal
discoveries of vulnerabilities and their solutions happen.  These events
are occasioned by other information processing activities such as audits,
loss events, new applications, new or newly enforced requirements,
contracting, or budget studies.  If a specific study is conducted, often
obvious, significant vulnerabilities are identified early and actions
taken to reduce their risk even before the final recommendations are made.


A survey of management practices was conducted at the seven field sites.Managers
were asked to describe the process curretnly used to select, justify, and
install computer security controls.  Both methodology and organizational factors
were studied.  Three typical case studies for a government agency, a research
organization, and a private sector firm are included in Appendix A.

None of the organizations studied used a formal cost-benifit or risk analysis to
evaluate computer security controls.  These techniques, which have been heralded
in the literature, were thought to be excesively elaborate and not
cost-effective.  Quantitative analyses were considered not appropriate because
of a lack of valid data.  Instead, each site primarily used subjective and
somewhat informal piecemeal techniques for assessing the pros and cons of
particular computer security controls.

These subjective techniques can be described as the exercise of prudent care or
subscribing to generally used controls.  the words "prudence" and "common sense"
were frequently used in describing what went into these subjective assessment
approaches.  Generally used approaches were defined in terms of the practices of
other organizations in similar environments.  Management essentially asked, "If
another manager were in my place, would he install and operate the proposed
control?"  Factors considered in answering this questing include:

:  The controls actually being used by other orgainziations with similar
   applications and equipment.

:  Reported loss experience.

:  The perceived needs of the organization's own operating environment
   compared to other organizations with similar environments.

:  The increased level of security to be achieved.

: Laws and regulations.

Definitions of generally used controls typically consider a wideranging
control environment.  Policies and professional ethical mores, personnel
procedures, and manual procedures can be used to make up for the possible
lack of computer-based controls, especially in computer systems where
security has not been a design and implementation criterion.

Another important factor in the decision to use a particular control was the
influence of outside parties.  Clients served by the organizations specified
requirements that had to be met before certain work could be performed and
data could be obtained.  these requirements mirrored requirements that in
some instances came from within the organization.  External and internal
auditors were other sources of relevant information.  Quantitative
information such as the cost to install and operate a control, money to be
saved, or the losses to be prevented ( from catastrophes, lawsuits, or
public embarrassment ) were rarely considered.

Management in most cases did not actively seek information about what is
done elsewhere.  Although they used this information when made available to
them and found it to be of great interest and potentially useful, they did
not believe that contacting similar organizations and asking questions were
cost-effective.  The exception to this occurred when very costly controls,
such as vaults or electronic lock access systems, were considered.
Management then directed technical personnel to study alternative products
and survey users of the products.  Sometimes prioritized lists of desirable
controls were prepared as wish lilsts that could be reviewed whenever
budgets were prepared.  The lists were helpful in matching high-priority
controls with limited resources.  Controls were viewed as necessary
resource-consuming items rather than revenue generating or cost-saving
items.  The time frame was typically 3 to 5 years.

The source of the funds to be used for a control largely dictated the
approval process; if funds were to come from a government grant, from
organizational overhead, or from a client project, then the approval
channels were markedly different in each case.  The approvoal process also
varied depending on the time of year when the need for a control was
noticed.  If a need was perceived shortly before budgets were prepared, and
installation could be delayed until the next fiscal year, then it was
included in the budget.  If installation of a control could not be delayed
until the next fiscal year, then it was included in the budget.  If
installation of a control could not be delayed until the next fiscal year,
special procedures were requried to rearrange currently budgeted funds to
obtain additional funds.

Documentation of the decision process was often sparce.  Purchase
requisitions and budgets on the proposed control were sometimes the only
formal documents produced.  Explicit management approval in these cases was
given when these forms were approved.  Larger organization werre more liekly
to require formal documentation that included proposals, signoff sheets,
memos, impact statements, and in rare instances cost-benefit analyses.
Systems development and modification methodologies in some cases included
requirements for considering computer security.  Security was reviewed when
a system was designed, redesigned, or modified, but not otherwise.  The
concern for security was not dealt with in isolation from other activites.
Typically, a control that was retroisolation from other activites.
Typically, a control that was retrofitted to an existing system was
evaluated in the same manner as a control that was originally designed into
a system.  Both were subject to the system development and modification

Documentation of control decisions and the resulting changes to be made were
more extensive whenever a control was going to affect people outside the
organization.  One organization wrote and maintained a specialized secure
operating system; another developed and installed a security program
package.  For these products, strict requirements for system change
justification and documentation existed.


Typically, the decision to adopt a control was made by the line managers
from the area primarily involved; for example, if an electronic lock access
system would restrict the activities of computer operators, then compuer
operations management would make the decision.

In some instances, security committees that had an advisory role in the
decision to adopt computer security controls were formed.  These committees
were composed of higher level managers who represented the following
organizational ares:  The legal department, user organizations, applications
development, computer operations, and industrial security.  These committees
monitored legal and regulatory requirements , current events, and the
current security systems.  In rare cases, the committee had approval

When a proposed control affected several parts of the organization in a
significant monetary or operational way, then management approval of each of
these areas was usually obtained.  Approval by industrial security, legal
counsel, audit, personnel, users, as well as other departments of a compute
center besides the one proposing a control was thus sometimes requred.  For
example, if a control would increase the rates for computing services
charged to users, or if it would change the user's interaction with a
computer system, then the users would typically be involved in the decision
process.  Occasionally, if many areas were involved, then a higher level
manager who had each of these areas reporting to him decided whether to
adopt a proposed control.

The computer service provider may play different roles in the identification
and approval of the need for a control.  The service provider in some cases
was responisble for telling the user what was needed, while in other
organizations the user was responisble for telling the service provider what
was required.  In either case, expertise within the computer sevice
provider's organization was relied on.  In some organizations, other
departments such as audit and legal counsel were supposed to alert involved
parties to the need for additional controls, but the approval of the changes
still rested with the service provider and the user.

Audit departments were seldom involved in the control requirements and
specification process.  Although many authors of computer security works
advocate that auditors be involved in systems design work, this
participation did not generally occur.  Some say that this sytem is
adequate--auditors are not supposed to directly participate, which
specification of controls would imply.  Auditors were said to only
infrequently review computer controls.  Others state that auditors should be
more active in the review of controls, informing management of the need for
improvements.  Larger organizations were more likely to have auditing staff
involved in these activities.

Many installations have noted that finding security experts in the computer
field to hire is a problem.  In some cases controls were not evaluated or
implemented because of the lack of qualified personnel.  the shortage of
experts in the computer security field is particularly acute.

Evidence of the maturing of computer security and the findings from
experience about selection of controls provide the background to consider
the motivation and need for adopting generally used controls.  The next
section provides two specific examples of common sources of this motivation
and need and how they may be satisfied by generally used controls.

This section has described the increased recognition of the ned for security
controls and the maturation and status of the process of control selection.
a major factor relevant to decision making regarding computer security is
the legal framework surrondin data and releated computer violations and
liabilities.  These issues are addressed in the next section.