Computer Crime & Security
Computer Crime and Security
By Jeffrey Streif, CFE, CISA, CPA
Computer crime has become increasingly popular in the media today due to the numerous types of computer crime that plague businesses today. Regulatory and government agencies are now focusing more on internal controls including those that involve computer security. Statements on Auditing Standards No. 99 (SAS 99), Sarbanes Oxley Act of 2002 (SOX) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are examples of such regulations.
Types of Computer Crime
Computer crime is basically any type of criminal activity that involves the use of a computer or computer-related device. It has increased over the past few years due to the increased use of computers. The internet has also given the opportunity for a flood of computer crime through email, newsgroups, chat rooms, individual websites, etc. This includes, but is not limited to, unauthorized access, identity theft, internet fraud, and computer fraud.
Unauthorized Access
Unauthorized access to confidential data can lead to several areas of criminal activity. One of those is in the area of deletion of data. This data destruction could cause costly delays or irreparable losses to the business or individual if they have not maintained proper backups. This activity could be done from a remote location over the internet or by a disgruntled employee. The later is harder to prevent, especially if that individual normally has access to the data.
Data alteration or manipulation is another type of unauthorized access activity. This is where the individual doesn’t destroy the data but alters it in some way. An example would be student who remote accessed a school’s server and changed his grade.
Social engineering is a form of unauthorized access in which hackers con individuals into giving them information that allows them to gain access to their computer system. An example would be someone calling an individual and pretending to be an administrator. They would ask for the individual’s password in order to run some kind of test or fix a problem. Once they have the password they could log on as that individual and cause havoc. Another concern with unauthorized access is the theft of confidential data. This theft could lead to various other types of fraud including identity theft.
Identity Theft
Identity theft or identity fraud is when someone pretends to be someone else and commits a crime or other harmful act without that individual’s knowledge. The most common example of this is credit card fraud. This is where a person uses someone else’s identity to apply for credit or to use stolen credit card information to purchase items over the internet. Identity theft is becoming more of a problem since personal data is transmitted daily over the internet, through email, or some form of electronic data interchange.
Internet Fraud
Internet fraud consists of several types of fraud such as purchase scams, website scams, phishing, etc. One type of purchase scam involves a buyer in another country contacting some business in the
Website scams are another type of internet fraud in which the individual is either redirected by a browser hijacker or they type a web address that is very similar to the one that was intended. An example is a website posing as a government website to take lottery entry forms. Government websites have the “.gov” suffix in their URL address while the imposter doesn’t.
Phishing is the act of attempting to fraudulently acquire confidential or sensitive information by pretending to be a legitimate individual or business. In the past this type of fraud was usually conducted over the phone. This is now being conducted over the internet and through email.
Computer Fraud
There are three main areas of computer fraud:
1. Input manipulation
Input manipulation is the most common and hardest to detect. It occurs when the user inputs false data into the system.
2. Program manipulation
Program manipulation is also very hard to detect but requires the criminal to have programming knowledge. This attack can come from outside the business or home through viruses or Trojan horse programs. The Trojan horse program can be code added to a legitimate program by a malicious programmer or it could be a standalone program that is disguised to be a legitimate program. Trojans could be used to find confidential data, erase data, download viruses, etc.
3. Output manipulation
An example of output manipulation would be to write false information to the magnetic strip on a bank card.
COMPUTER SECURITY
Computer security is the protection of data in a system against unauthorized disclosure, modification, or destruction and the protection of the computer system against unauthorized use, modification, or denial of service. Computer security controls involve three types of controls – physical controls, logical controls, and administrative controls.
There is usually some combination of all three types of controls in an organizations information system environment. The combination is usually determined by a risk assessment which defines where the greatest benefit will be achieved in terms of cost and productivity. Risk assessments are important in that they determine the various threats to the computing environment for which controls will need to be implemented. These risks are then ranked by order of magnitude and management must decide what risks need controls, what risks can be mitigated, and what risks can be assumed.
Physical Controls
Preventative physical controls require the use of locks, ID badges, fire protection equipment, backup batteries, etc. These preventative physical controls are the least time consuming and provide some security, as long as the control is actually being used. This requires some monitoring on a periodic basis to determine that the control is being used and is operating effectively.
Detective physical controls usually require some individual to monitor the systems. Examples of these types of controls are motion detectors, alarm systems, security cameras, smoke and heat detectors, etc. They also act as a deterrent in that they may keep unwanted events from occurring. Sometime the perpetrator will not rob the business if a security camera is present.
Logical and Administrative Controls
Preventative logical and administrative controls usually come in the form of passwords, user management policies, anti-virus software, anti-spyware software, encryption, firewalls, etc. These controls are typically for preventing unauthorized access to business computer systems and data.
The use of passwords is one of the most common controls. In order for it to be effective there must be a good password policy in place. A typical password policy would contain documentation on length, formation, and duration. It would require the use of lower and upper case alphabetic characters, numbers, and special characters. Also it would require that the password be at least seven characters in length and have a limited life of 60 days.
Along with a good password policy management should have a training program to keep employees aware of any security risks. This program should cover not only password policy but also computer and internet usage policies. Unauthorized use of the internet can expose the business to unnecessary risks from viruses, Trojans, and spyware.
Thus another form of logical preventative control is needed to mitigate the risk of this happening. That is the use of anti-virus and anti-spyware software. Most antivirus software can no longer adequately protect a computer system by itself. Spyware has become a large threat to systems in that it can monitor your online activities, change system configurations and even download additional components to hijack your browser.
The use of encryption to safeguard data is very important. It allows email messages and passwords files to be secure. There are two main types of encryption in use today: symmetric encryption and asymmetric encryption. Symmetric encryption is where the same key is used to encrypt and decrypt the message. Asymmetric encryption uses two keys – one to encrypt and another to decrypt the message. The keys are known as public and private keys. The public key is known to everyone and is used only to encrypt the message. The private key is only known by the recipient and is used to decrypt the message.
Firewalls are typically the first line of defense for the network especially ones connected to the internet. They can be either a physical piece of hardware like a router or logical like a software application. There are various different types firewalls that have different levels of protection. The problem encountered is that the more restrictive and secure they are the more latency that is caused for the network traffic.
Detective logical controls include the use of intrusion detection systems and scanners. These controls are used to supplement the controls just mentioned. Computer system are never fully secure from intrusion so these types of controls are essential to mitigate the damage from intrusions. Intrusion detection software can be set to monitor excess attempts to log in, observe deviations from normal behavior or activity, etc., thus not only protecting the system from outside attacks but attacks from within the system.
CONCLUSION
This article has only briefly covered some of the threats to computer systems and the types of controls that are used to prevent and combat those threats. The scope of these threats is ever changing with the technological environment of today’s businesses. It requires that every business have some kind of crisis management and disaster recovery plan in place.
Jeffrey Streif, CFE, CISA, CPA is a senior manager with UHY Advisors and a member of MSCPA’s Information Technology Committee. He is an officer of the St. Louis Chapter of the Information System Audit and Control Association. His email address is jstreif@uhy-us.com.
