Chapter 15
Computer Crime and Information
Technology Security
McGraw-Hill/Irwin
Copyright © 2010 by The McGraw-Hill Companies, Inc. All rights reserved.
Outline
•
•
•
•
•
•
Objectives
Carter’s taxonomy
Risks and threats to information systems
Computer criminals
Prevention and detection techniques
COBIT framework
15-2
Objectives
When you finish this chapter, you should be able
to:
– Explain Carter’s taxonomy of computer crime
– Identify and describe business risks and threats to
information systems
– Name and describe common types of computer
criminals
– Discuss ways to prevent and detect computer crime
– Explain COBIT’s information criteria and
accountability framework
– Explain how COBIT can be used to strengthen
internal controls against computer crime
15-3
Carter’s taxonomy
• Target: targets the system or its data
• Instrumentality: computer furthers a
criminal end
• Incidental: computer is not required for
the crime but is related to the criminal act
• Associated: new versions of traditional
crimes
15-4
Risks and threats to
information systems
• Fraud
Any illegal act for which
knowledge of
computer technology
is used to commit the
offense
• Service interruptions
and delays
Delay in processing
information
• Intrusions
Bypassing security
controls or exploiting a
lack of adequate
controls
• Information
manipulation
Can occur at virtually
any stage of
information processing
from input to output
15-5
Risks and threats to
information systems
• Denial of service
attacks
Prevent computer
systems and networks
from functioning in
accordance with their
intended purpose
• Error
Can vary widely
• Disclosure of
confidential
information
Can have major impacts
on an organization's
financial health
• Information theft
Targets the
organization's most
precious asset:
information
15-6
Risks and threats to
information systems
• Malicious software
Virus, Trojan horse, worms, logic bombs
• Web site defacements
Digital graffiti where intruders modify pages
• Extortion
Threat to either reveal information to the public
or to launch a prolonged denial of service if
demands are not met
15-7
Computer criminals
• Script kiddies
Young inexperienced hacker
who uses tools and scripts
written by others for the
purpose of attacking
systems
• Hacker
Someone who invades an
information system for
malicious purposes
• Cyber-criminals
Hackers driven by financial
gain
• Organized crime
Spamming, phishing,
extortion and all other
profitable branches of
computer crime
• Corporate spies
Computer intrusion
techniques to gather
information
15-8
Computer criminals
• Terrorists
Target the underlying computers and networks
of a nation’s critical infrastructure
• Insiders
May be the largest threat to a company’s
information systems and underlying computer
infrastructure
15-9
Prevention and detection
techniques
• CIA triad
– Confidentiality
– Data integrity
– Availability
• Internal controls
– Physical: locks,
security guards,
badges, alarms
– Technical: firewalls,
intrusion detection,
access controls,
cryptography
– Administrative:
security policy,
training, reviews
15-10
COBIT framework
• Control Objectives for Information and
Related Technology
• Published by Information Systems Audit
and Control Association (www.isaca.org)
• Three points of view
– Business objectives
– IT resources
– IT processes
15-11
COBIT framework
• Four domains of
knowledge
– Plan and organize
– Acquire and implement
– Deliver and support
– Monitor and evaluate
• Seven information criteria
– Effectiveness
– Efficiency
– Confidentiality
– Integrity
– Availability
– Compliance
– Reliability of information
15-12
COBIT framework
Accountability
framework
(Figure 15.3)
15-13
Computer Crime
• Computer crime is using the computer either
directly or indirectly in a criminal act.
• A good definition of computer crime is
important because it affects how the
statistics are accumulated.
• It is speculated that a relatively small
proportion of computer crime gets detected
and an even smaller proportion gets
reported.
Computer Crime & Abuse:
What’s the Difference?
• Computer crime involves the manipulation of a
computer or computer data, by whatever
method, to dishonestly obtain money, property
or some other advantage of a value or to cause
a loss.
• Computer abuse is the unauthorized use of, or
access to, a computer for purposes contrary to
the wishes of the owner of the computer.
Legislation
• Of the federal legislation governing the
use of computers, The Computer Fraud
and Abuse Act of 1986 is perhaps the
most important.
• This Act may not be powerful enough to
prosecute computer abuses of the 21st
century such as types of Internet and
telecommunications frauds.
Federal Legislation Affecting
the Use of Computers
•
•
•
•
•
•
•
•
•
•
Fair Credit Reporting Act of 1970
Freedom of Information Act of 1970
Federal Privacy Act of 1974
Small Business Computer Security and Education Act of
1984
Computer Fraud and Abuse Act of 1986
Computer Fraud and Abuse Act (1996 amendment)
Computer Security Act of 1987
USA Patriot Act of 2001
Cyber Security Enhancement Act of 2002
CAN-SPAM Act of 2003
Kinds of Computer Crime
• Use of or the conspiracy to use computer resources to
commit a felony
• Unauthorized theft, use, access modification, copying, or
destruction of software or data
• Theft of money by altering computer records or the theft
of computer time
• Theft, vandalism or destruction of computer hardware
• Intent to illegally obtain information or tangible property
through the use of computers
• Trafficking in passwords or other login information for
accessing a computer
• Extortion that uses a computer system as a target
Computer Fraud
• Computer fraud is any illegal act for which
knowledge of computer technology is
essential for its perpetration, investigation,
or prosecution.
• Economic espionage, the theft of
information and intellectual property, is
one type of computer fraud.
The Lack of
Computer-Crime Statistics
• Good statistics on computer crime are mostly
unavailable.
• Three reasons why statistics are unavailable are :
(1) private companies handle abuse internally
(2) surveys of computer abuse are often
ambiguous
(3) most computer abuse is probably
not discovered.
The Growth of
Computer Crime
• Computer crime is growing because of
– Exponential growth in computer resources
– Internet pages give step-by-step
instructions on how to perpetrate computer
crime
– Spending on computer controls has
grown at a slow rate
Three Representative
Computer Crimes Cases
• Compromising Valuable Information: The
TRW Credit Data Case
• Computer Hacking: The Kevin D. Mitnick
Case
• Denial of service: The 2003 Internet Crash
– Through computer viruses
– Through computer worms
The TRW Credit Data Case
• This valuable information computer crime is
well known.
• The valuable information was computerized
credit data.
• Two key issues:
– the propriety of the input information
– the protection afforded both consumer and user in
the accuracy and use of credit information
The Kevin D. Mitnick Case
• Hackers are people who break into the computer
files of others for fun or personal gain.
• Shoulder surfing is stealing calling credit numbers
at public phones.
• Password controls can limit computer access to
bona fide users.
• Social engineering is posing as bona fide
employees.
• Lock-out systems disconnect telephone users after
a set number of unsuccessful login attempts.
• Dial-back systems first disconnect all login users,
but reconnect legitimate users after checking their
passwords against lists of bona fide user codes.
Robert T. Morris and the
Internet Virus
• Created one of the world’s most famous
compute viruses.
• Became first person to be indicted under
the Computer Fraud and Abuse Act of
1986.
• This case illustrates vulnerability of
networks to virus infections.
Computer Viruses
• A computer virus is a program that disrupts
normal data processing and that can usually
replicate itself onto other files, computer
systems or networks.
• Boot-sector viruses hide in the boot sectors of
a disk, where the operating system accesses
them.
• Worm viruses replicate themselves until the
user runs out of memory or disk space.
Robert T. Morris and the
Internet Virus Case
• Trojan Horse programs reside in legitimate
copies of computer programs.
• Logic Bomb programs remain dormant until
the computer system encounters a specific
condition.
• A virus may be stored in an
applet, which is a small program
stored on a WWW server.
Methods for Thwarting Computer
Viruses: Anti-Virus Software
• Anti-virus software includes computer
programs that can:
– scan computer disks for virus-like coding;
– identify active viruses already lodged in computer
systems;
– cleanse computer systems
already infected;
– perform a combination of
these activities.
Drawbacks of Anti-Virus
Software Programs
• Anti-virus programs provide less-thancomplete protection because
– new, more powerful viruses are always being
written that can avoid known detection schemes.
– anti-virus programs can contain virus
routines.
Anti-Virus
Procedural Controls
• Buy shrink-wrapped software from
reputable sources
• Avoid illegal software copying
• Do not download suspicious Internet
files
• Delete email messages from unknown
sources before opening them
• Maintain complete backup files
Organizational Safeguards
Against Computer Viruses
• Educate employees about viruses.
• Encourage employees to follow virus prevention and
detection techniques.
• Establish policies that discourage the free exchange
of computer disks or externally acquired computer
programs.
• Use computer passwords to thwart unauthorized
users from accessing the company’s operating
systems and files.
• Use anti-virus filters on LANs and WANs.
• Have an approved and tested disaster recovery plan.
Methods for
Thwarting Computer Abuse
• Enlist top management support
• Increase employee awareness and education
• Conduct Security Inventory and protect
passwords
• Implement controls
• Identify computer criminals
– Look at technical backgrounds,
morals, and gender and age
Methods for
Thwarting Computer Abuse
• Recognize the symptoms of employee
fraud
– Accounting irregularities such as forged,
altered or destroyed input documents
– Internal control weaknesses
– Behavioral or lifestyle changes in an
employee
– Unreasonable anomalies that go
unchallenged
• Employ forensic
accountants
Computers and Ethical
Behavior
• Ethics is a set of moral principles or
values.
• Ethical behavior involves making choices
and judgments that are morally proper and
then acting accordingly.
• Ethics can govern and organization as well
as individuals.
Ethical Issues
•
•
•
•
•
•
Honesty
Protecting Computer Systems
Protecting Confidential Information
Social Responsibility
Rights of Privacy
Acceptable Use of Computer
Hardware and Software.
How Organizations
Encourage Ethical Behavior
• Inform employees that ethics are important.
• Formally expose employees to relevant cases that
teach how to act in specific situations.
• Teach by example, that is, by managers acting
responsibly.
• Use job promotions and other benefits to reward
those employees who act responsibly.
• Encourage employees to join professional
organizations with codes of conduct such as
Codes of Conduct and Good Practice for Certified
Computer Professional.
Computers and Privacy Issues
• Company policies with respect to privacy
– Privacy policy
– Disposal of computers
• Online privacy seals
NAME /
SPREADING/ DAMAGE/ DISCOVERED
Exploit.CplLnk.Gen MEDIUM LOW 2010 Jul 19
Worm.P2P.Palevo.FP HIGH MEDIUM 2010 Jul 09
Win32.Worm.Autorun.UB LOW LOW 2010 Jul 01
Trojan.Spy.ZBot.EPU VERY LOW VERY LOW 2010 Jun 30
Trojan.PWS.OnlineGames.KDLC LOW MEDIUM 2010 Jun 21
Backdoor.MSIL.Bot.A VERY LOW LOW 2010 Jun 14
Backdoor.Bifrose.AAJX VERY LOW MEDIUM 2010 Jun 14
Trojan.Renos.PGZ MEDIUM LOW 2010 Jun 01
Trojan.PWS.OnlineGames.KDKC LOW LOW 2010 May 30
Trojan.Renos.PHM VERY LOW MEDIUM 2010 May 29
Trojan.PWS.KATES.AG VERY LOW HIGH 2010 May 29
Trojan.Banker.Delf.ZRD LOW LOW 2010 May 25
Trojan.Dropper.Oficla.P MEDIUM MEDIUM 2010 May 19
15-39