Chapter 15 Computer Crime and Information Technology Security McGraw-Hill/Irwin Copyright © 2010 by The McGraw-Hill Companies, Inc. All rights reserved. Outline • • • • • • Objectives Carter’s taxonomy Risks and threats to information systems Computer criminals Prevention and detection techniques COBIT framework 15-2 Objectives When you finish this chapter, you should be able to: – Explain Carter’s taxonomy of computer crime – Identify and describe business risks and threats to information systems – Name and describe common types of computer criminals – Discuss ways to prevent and detect computer crime – Explain COBIT’s information criteria and accountability framework – Explain how COBIT can be used to strengthen internal controls against computer crime 15-3 Carter’s taxonomy • Target: targets the system or its data • Instrumentality: computer furthers a criminal end • Incidental: computer is not required for the crime but is related to the criminal act • Associated: new versions of traditional crimes 15-4 Risks and threats to information systems • Fraud Any illegal act for which knowledge of computer technology is used to commit the offense • Service interruptions and delays Delay in processing information • Intrusions Bypassing security controls or exploiting a lack of adequate controls • Information manipulation Can occur at virtually any stage of information processing from input to output 15-5 Risks and threats to information systems • Denial of service attacks Prevent computer systems and networks from functioning in accordance with their intended purpose • Error Can vary widely • Disclosure of confidential information Can have major impacts on an organization's financial health • Information theft Targets the organization's most precious asset: information 15-6 Risks and threats to information systems • Malicious software Virus, Trojan horse, worms, logic bombs • Web site defacements Digital graffiti where intruders modify pages • Extortion Threat to either reveal information to the public or to launch a prolonged denial of service if demands are not met 15-7 Computer criminals • Script kiddies Young inexperienced hacker who uses tools and scripts written by others for the purpose of attacking systems • Hacker Someone who invades an information system for malicious purposes • Cyber-criminals Hackers driven by financial gain • Organized crime Spamming, phishing, extortion and all other profitable branches of computer crime • Corporate spies Computer intrusion techniques to gather information 15-8 Computer criminals • Terrorists Target the underlying computers and networks of a nation’s critical infrastructure • Insiders May be the largest threat to a company’s information systems and underlying computer infrastructure 15-9 Prevention and detection techniques • CIA triad – Confidentiality – Data integrity – Availability • Internal controls – Physical: locks, security guards, badges, alarms – Technical: firewalls, intrusion detection, access controls, cryptography – Administrative: security policy, training, reviews 15-10 COBIT framework • Control Objectives for Information and Related Technology • Published by Information Systems Audit and Control Association (www.isaca.org) • Three points of view – Business objectives – IT resources – IT processes 15-11 COBIT framework • Four domains of knowledge – Plan and organize – Acquire and implement – Deliver and support – Monitor and evaluate • Seven information criteria – Effectiveness – Efficiency – Confidentiality – Integrity – Availability – Compliance – Reliability of information 15-12 COBIT framework Accountability framework (Figure 15.3) 15-13 Computer Crime • Computer crime is using the computer either directly or indirectly in a criminal act. • A good definition of computer crime is important because it affects how the statistics are accumulated. • It is speculated that a relatively small proportion of computer crime gets detected and an even smaller proportion gets reported. Computer Crime & Abuse: What’s the Difference? • Computer crime involves the manipulation of a computer or computer data, by whatever method, to dishonestly obtain money, property or some other advantage of a value or to cause a loss. • Computer abuse is the unauthorized use of, or access to, a computer for purposes contrary to the wishes of the owner of the computer. Legislation • Of the federal legislation governing the use of computers, The Computer Fraud and Abuse Act of 1986 is perhaps the most important. • This Act may not be powerful enough to prosecute computer abuses of the 21st century such as types of Internet and telecommunications frauds. Federal Legislation Affecting the Use of Computers • • • • • • • • • • Fair Credit Reporting Act of 1970 Freedom of Information Act of 1970 Federal Privacy Act of 1974 Small Business Computer Security and Education Act of 1984 Computer Fraud and Abuse Act of 1986 Computer Fraud and Abuse Act (1996 amendment) Computer Security Act of 1987 USA Patriot Act of 2001 Cyber Security Enhancement Act of 2002 CAN-SPAM Act of 2003 Kinds of Computer Crime • Use of or the conspiracy to use computer resources to commit a felony • Unauthorized theft, use, access modification, copying, or destruction of software or data • Theft of money by altering computer records or the theft of computer time • Theft, vandalism or destruction of computer hardware • Intent to illegally obtain information or tangible property through the use of computers • Trafficking in passwords or other login information for accessing a computer • Extortion that uses a computer system as a target Computer Fraud • Computer fraud is any illegal act for which knowledge of computer technology is essential for its perpetration, investigation, or prosecution. • Economic espionage, the theft of information and intellectual property, is one type of computer fraud. The Lack of Computer-Crime Statistics • Good statistics on computer crime are mostly unavailable. • Three reasons why statistics are unavailable are : (1) private companies handle abuse internally (2) surveys of computer abuse are often ambiguous (3) most computer abuse is probably not discovered. The Growth of Computer Crime • Computer crime is growing because of – Exponential growth in computer resources – Internet pages give step-by-step instructions on how to perpetrate computer crime – Spending on computer controls has grown at a slow rate Three Representative Computer Crimes Cases • Compromising Valuable Information: The TRW Credit Data Case • Computer Hacking: The Kevin D. Mitnick Case • Denial of service: The 2003 Internet Crash – Through computer viruses – Through computer worms The TRW Credit Data Case • This valuable information computer crime is well known. • The valuable information was computerized credit data. • Two key issues: – the propriety of the input information – the protection afforded both consumer and user in the accuracy and use of credit information The Kevin D. Mitnick Case • Hackers are people who break into the computer files of others for fun or personal gain. • Shoulder surfing is stealing calling credit numbers at public phones. • Password controls can limit computer access to bona fide users. • Social engineering is posing as bona fide employees. • Lock-out systems disconnect telephone users after a set number of unsuccessful login attempts. • Dial-back systems first disconnect all login users, but reconnect legitimate users after checking their passwords against lists of bona fide user codes. Robert T. Morris and the Internet Virus • Created one of the world’s most famous compute viruses. • Became first person to be indicted under the Computer Fraud and Abuse Act of 1986. • This case illustrates vulnerability of networks to virus infections. Computer Viruses • A computer virus is a program that disrupts normal data processing and that can usually replicate itself onto other files, computer systems or networks. • Boot-sector viruses hide in the boot sectors of a disk, where the operating system accesses them. • Worm viruses replicate themselves until the user runs out of memory or disk space. Robert T. Morris and the Internet Virus Case • Trojan Horse programs reside in legitimate copies of computer programs. • Logic Bomb programs remain dormant until the computer system encounters a specific condition. • A virus may be stored in an applet, which is a small program stored on a WWW server. Methods for Thwarting Computer Viruses: Anti-Virus Software • Anti-virus software includes computer programs that can: – scan computer disks for virus-like coding; – identify active viruses already lodged in computer systems; – cleanse computer systems already infected; – perform a combination of these activities. Drawbacks of Anti-Virus Software Programs • Anti-virus programs provide less-thancomplete protection because – new, more powerful viruses are always being written that can avoid known detection schemes. – anti-virus programs can contain virus routines. Anti-Virus Procedural Controls • Buy shrink-wrapped software from reputable sources • Avoid illegal software copying • Do not download suspicious Internet files • Delete email messages from unknown sources before opening them • Maintain complete backup files Organizational Safeguards Against Computer Viruses • Educate employees about viruses. • Encourage employees to follow virus prevention and detection techniques. • Establish policies that discourage the free exchange of computer disks or externally acquired computer programs. • Use computer passwords to thwart unauthorized users from accessing the company’s operating systems and files. • Use anti-virus filters on LANs and WANs. • Have an approved and tested disaster recovery plan. Methods for Thwarting Computer Abuse • Enlist top management support • Increase employee awareness and education • Conduct Security Inventory and protect passwords • Implement controls • Identify computer criminals – Look at technical backgrounds, morals, and gender and age Methods for Thwarting Computer Abuse • Recognize the symptoms of employee fraud – Accounting irregularities such as forged, altered or destroyed input documents – Internal control weaknesses – Behavioral or lifestyle changes in an employee – Unreasonable anomalies that go unchallenged • Employ forensic accountants Computers and Ethical Behavior • Ethics is a set of moral principles or values. • Ethical behavior involves making choices and judgments that are morally proper and then acting accordingly. • Ethics can govern and organization as well as individuals. Ethical Issues • • • • • • Honesty Protecting Computer Systems Protecting Confidential Information Social Responsibility Rights of Privacy Acceptable Use of Computer Hardware and Software. How Organizations Encourage Ethical Behavior • Inform employees that ethics are important. • Formally expose employees to relevant cases that teach how to act in specific situations. • Teach by example, that is, by managers acting responsibly. • Use job promotions and other benefits to reward those employees who act responsibly. • Encourage employees to join professional organizations with codes of conduct such as Codes of Conduct and Good Practice for Certified Computer Professional. Computers and Privacy Issues • Company policies with respect to privacy – Privacy policy – Disposal of computers • Online privacy seals NAME / SPREADING/ DAMAGE/ DISCOVERED Exploit.CplLnk.Gen MEDIUM LOW 2010 Jul 19 Worm.P2P.Palevo.FP HIGH MEDIUM 2010 Jul 09 Win32.Worm.Autorun.UB LOW LOW 2010 Jul 01 Trojan.Spy.ZBot.EPU VERY LOW VERY LOW 2010 Jun 30 Trojan.PWS.OnlineGames.KDLC LOW MEDIUM 2010 Jun 21 Backdoor.MSIL.Bot.A VERY LOW LOW 2010 Jun 14 Backdoor.Bifrose.AAJX VERY LOW MEDIUM 2010 Jun 14 Trojan.Renos.PGZ MEDIUM LOW 2010 Jun 01 Trojan.PWS.OnlineGames.KDKC LOW LOW 2010 May 30 Trojan.Renos.PHM VERY LOW MEDIUM 2010 May 29 Trojan.PWS.KATES.AG VERY LOW HIGH 2010 May 29 Trojan.Banker.Delf.ZRD LOW LOW 2010 May 25 Trojan.Dropper.Oficla.P MEDIUM MEDIUM 2010 May 19 15-39