ZDDDDDDDDDDDDDDDDDD? IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM; ZDDDDDDDDDDDDDDDDDD? 3 Founded By: 3 : Network Information Access : 3 Founded By: 3 3 Guardian Of Time 3D: 12APR90 :D3 Guardian Of Time 3 3 Judge Dredd 3 : Guardian Of Time : 3 Judge Dredd 3 @DDDDDDDDBDDDDDDDDDY : File 17 : @DDDDDDDDDBDDDDDDDDY 3 HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM< 3 3 IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM; 3 @DDDD: COMPUTER CRIME: COMPUTER SECURITY TECHNIQUES :DDY : Section I -- Introduction : HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM< Forward: There will be at least ten files on the subject of Computer Crime, I have tried to get people to show us just what we can, the ideas that are being taught to managers, are simple, and crude. You have seen in the first few files of NIA, just HOW SIMPLE are the techniques? Well here in this section will be a Governmental view of Computer Crime. Guardian Of Time $_SECTION I -- INTRODUCTION The "Dawn of the Age of Aquarius" has also ushered in the "Age of the Computer." It is no secret that computers have become indispensable to almost every form of modern business and government. The rapid expansion of computer use has created an electronic marketplace where goods and intellectual products are transferred and paid for entirely by electronic means. Computers have also created a new method of storage and representation of assets through electronic data processing systems that record everything from bank balances to shares of securities. The use of computers has even advanced to the stage where electronic signatures can be given unique characteristics making them more easily identifiable and reliable than human handwriting in many respects. The new form of assets consists of pulses of electricity, states of electronic circuits, and patterns of magnetic areas on tape and disks. The pulses can be converted to the form of checks by a computer printer or to monetary currency by computer-printed reports that authorize cashiers to transfer cash from boxes to people or to other boxes. The pulses can also be converted to printed reports or mechanical functions that cause actions either manually or automatically involving goods and services. These negotiable assets, as well as personal information, now are stored as data in computers, saved on magnetic tape and disks, and sent through wires and microwave carriers in electronic, electromagnetic wave, and magnetic forms. The creation of these new forms of assets, however, has been accompanied by an increase in the potential for misuse of computers and computer data. Some of the people who create and work with computer products have the capability to alter or delete assets stored in computers or to create totally new assets. The security of these assets, as well as other data stored in computers, is vital. In this document, computer security encompasses the integrity, preservation, authorized use, and confidentiality of data starting with its generation, through its entry into computers, automatic and manual processing, output, storage, and finally its use. One of the primary motives for computer security is protection from intentionally caused loss. Computer crime is highly publicized and its nature frequently distorted in the news media. Although there are no valid representative statistics on frequency or loss, enough loss experience has been documented (more than 1000 reported cases since 1958) and even more conjectured to make it clear that computer crime is a growing and serious problem. Broadly defined, known experience indicates a high incidence of false data entry during manual data handling before computer entry. Most losses of this kind are small, but several large losses of $10 to $20 million have occurred. Unauthorized use of computer services has also prolifereated, especially with increasing use of dial-up telephone access to computers. A few sophisticated programmed frauds inside computer systems or using them as tools for frauds have been found where detection was mostly accidental. Reported computer crime is committed mostly by people in positions of trust with special skills, knowledge and access. The results of known experience indicate the need for a wide range of basic controls that reduce the likelihood of violation of trust by these people. Many of these controls that reduce the likelihood of violation of trust by these people. Many of these controls are represented in this report. $_RELIANCE ON COMPUTERS REQUIRES COMPUTER SECURITY Although computer security has always been needed, even before computers, interest in it became widespread only after computers came into use, especially for processing financial and personal data. Computers facilitate the great concentration of data for powerful means of processing, and for the first time since the days of manual data processing computers, provide an opportunity to apply computer security in effective, uniform, and low-cost ways. At the same time computer use increases the dangers of large losses from the conentration of intangible assets in electronic forms and changes the nature of exposures to losses with assets in these new forms. Use of computers changes the patterns and degree of trust put in people who work with data. New occupations staffed by fewer, technology oriented people, each with greater capacity to do good or harm using computers as tools have emerged. There is now one computer terminal for every three white-coller workers. Computers remove processing and storing of data in their electronic form from direct human observation. Thus, computer programs that direct the processing of data whose integrity and correctness must be assured are necessary tools to see the results of data processing and check the correctness of data stored in computer media. The procedures by which data are processed and stored are created by programmers at a different time and place than when the actual processing occurs. Processing takes place so rapidly as to be incomprehensible to humans until it is complete, and intervention is impossible except in preprogrammed ways that where developed without the possibility of foreseeing all future conditions and needs. Organizations that use or provide computer services for governmental and business purposes have a responsibility to the users, data subjects, managers and employees, as well as society, to assure computer security in legal, economic, and ethical terms to avoid loss to themselves and others. Thus, contractual commitments that specify trade secret protection of commercial computer program and data file products require that users of the products apply safeguards. Top management, of course, wants to continue the success of their organizations and avoid data-related losses. Data processing employees abide by the computer security policies and procedures to please management and receive advancements in their jobs. Society demands responsible treatment of data, the US government, for example, has attempted to obtain voluntary adherence by business to the Organization for Economic Cooperation and Development Guidelines on Protection of Privacy and Transborder Flows of Personal Data. In addition, professional societies and trade associations apply peer pressure to meet ethical standards. Data-related losses from errors, omissions, bad judgment, intentional acts, and natural events motivate the victims to avoid further loss. Some controls on loss result in more efficient data handling, reduced insurance premiums, and lower costs. Compliance with laws and regulation such as the Privacy Act of 1974, Foreign Corrupt Practices Act, criminal statutes, and the US Office of Management and Budget Circular A-71 on Computer Security is required for an orderly society. All of these factors and more must be taken into account in planning and establishing computer security. Dangers lurk not where losses have been anticipated and good controls exist but where vulnerablities have NOT been anticipated and controls are lacking. Systematic methods are needed to assure completeness of safeguarding with limited resources that can resonably be devoted to protection in the complex and changed environments of data processing brought about by the use of computers. $_COMMITMENT TO COMPUTER SECURITY Management is eager to allocate resources that directly increase the productivity of their organizations. Security seldom adds directly to productivity; it only assures protection from loss of productivity and avoids violation of rights, laws and regulations. Therefore, security might have occurred. If security is effective, it usually goes unnoticed because loss is averted. Otherwise, security is sometimes seen as costing money without visible, direct contributions to performance. This makes security expenditures particularly important to justify and understand. Fortunately, enlightened management will react rationally to assure security in their organizations when given resonable options and adequate justification for doing so. Employees will support and carry out security when they understand its purpose, receive clear directives, understand that it is part of their job performance, and are judged on their adherence to secure practices. Therefore, recommendations for cost-effective controls must be properly justified and generally accepted. Methods for conducting security reviews based on risk assessment to determine vulnerabilities and identify needed controls have been developed and used to some extent. However, many controls are still selected on a piecemeal basis when individual needs become evident without comprehensive review of all needs. This leads to inconsistent security buildup that leaves serious vulnerabilities and gaps. Security must be mesasured by the weakest links; losses occur where adequate controls are lacking. Therefore, methods of review must be developed that are comprehensive as well as sufficiently practical and low in cost to attract their use. Data processing and computer security have advanced rapidly to the point where organizations today do not take action in isolation from what other organizations are doing. Many organizations have adopted the solutions to common vulnerability problems developed by others. Applying generally used security practices and controls is attractive where the problems and needs are similar among many organizations. $_CONTRIBUTION OF THIS REPORT TO COMPUTER SECURITY The study results reported in this document are meant to add materially to new concepts in computer security. The computer security practices and controls presented here are those used or endorsed by seven organizations that are particularly advanced in their computer security. In addition, the organizations were chosen from among those heavily involved in manipulating personal data to emphasize the application of security to issues of privacy. Thus, several of the organizations are processors of crimminal justice data and one is a processor of life and medical insurance. The seven participating field site organizations are: (1) A state law enforcement data center (2) A county EDP services department (3) A city data services bureau (4) A research institute specializing in criminal justice research (5) A life and casualty insurance company (6) A center for political studies, which does extensive research on sensitive topics linked to individuals (7) A state information services department. A project team of experienced computer security consultants examined the seven field site organizations to determine the best controls and practices in use, as well as the methods of review and selection of controls and practices that organizations use. This document describes the 82 controls and practices that were judged as generally acceptable for good computer security by computer security administrators from all seven organizations along with two independent security consultants. In Section II of this report, the background and maturation of computer security methods, particularly as a basis for new approaches to evaluating and selecting controls, are described. Common, selective, and special vulnerabilities are identified. Section III describes presently used security review methods and the legal concepts of standards of due care and protecting proprietary interests in computer programs which contribute to computer security practices and the law. Section IV, along with more detailed descriptions in Appendix B, presents a new, baseline concept that can be used along with other methods for selecting controls and security practices. The principles and benefits of baseline controls are stated and future baseline development is considered. Section V explains the method of investigation, the format used to describe the controls found in the study, and the five indices of the 82 controls that are described in the last section. The five indices are identified by topic, objective, area or responsibility, mode, and environment to facilitate location of specific controls. An overview summarizing the controls by topic completes Section V. In Section VI, the controls are presented in ways quite different from that found in other security literature. A title, control objective, and general description based on actual usage experience are presented. The control variants are identified. Strengths and weaknesses found in usuage are stated. These items are followed by advice on how to audit the controls, and five more characteristics are briefly identified to complete the description. Appendix A presents three case studies of actual selection and approval of controls and a step-by-step method of how a baseline review could be conducted. $_EOF [OTHER WORLD BBS]