CIS 4398 INDEPENDENT STUDY
RESEARCH PAPER
Summer 10 Week
Dr.Udo and Dr. Kirs
Overview
Global
information and communication networks are now an integral part of the way in
which modern governments, businesses, education and economies operate (Hamin
2000). As Frederick B. Cohen says in his
book “Protection and security on the information superhighway”, businesses use a lot of this
information technology to handle all the work they have to do. For example, telephones, computer terminals,
electronic and voice mail, fax machines, and the Internet (Cohen 1995). Information technology has produced substantial benefits for all of us.
However, the increasing dependence upon the new information and communication
technologies by many organizations is not without its price; they have become
more exposed and vulnerable to an expanding array of computer security risks or
harm and inevitably to various kinds of computer misuse (Hamin 2000). Computers, which are part of this technology,
have little or no protection, and interconnected computers are generally wide
open to accidental or malicious disruption. In addition, these computers have a
vast of important and confidential information that cannot be shared to anyone,
so companies must protect their businesses from intruders.
Fraud hits
all industries and companies of all sizes (Genn 2001). For these and many other reasons they should
be in alert of anything that can happen within their organizations 24 hours a
day. Organizations have to protect their businesses from many people who can
cause them to have millionaire looses.
For example, vendors and businesses associates seeking leverage, hackers
or crackers seeking a thrill, cyberpyrates seeking profits and information,
employees seeking knowledge and power, ex-employees seeking revenge or
competitors seeking to destroy them (information technology Security Solutions)
(Klein ). The issues concerning computer
misuse have, in the main, tended to concentrate upon the increasing threats
from outside the organization, whilst largely ignoring the threats posed to the
organization by the insider (Hamin 2000). Although in the past much concern has been
devoted to penetrations and other misuse by outsiders, insider threats have
long represented serious problems in government and private
computer-communication systems. However,
until recently, the risks have gone largely ignored by system developers,
application purveyors, and indeed governments (Neumann 1999).
There is a
“Computer Crime and Security Survey" done yearly by the United States FBI
and Computer Security Institute. This is
conducted by CSI with the participation of the San Francisco Federal Bureau of
Investigation's (FBI) Computer Intrusion Squad.
This survey is based on responses from 503 computer security
practitioners in
Disruption is commonly caused by insiders,
and it is real difficult to differentiate between accidental and intentional
disruption in this context (Cohen 1995).
Incidents include everything from virus outbreaks, browsing inappropriate
pages using company computers, committing fraud or cracking corporate computer
systems from the inside (Ward 2002). There should be various technical,
procedural, and normative controls to prevent illegal and malicious acts from
taking place. Ultimately a good balance between various kinds of controls would
help instituting a cost-effective means to make both accidental and intentional
misconduct difficult (Dhillon 2001).
There are
two classes of computer criminals in any business: Outsiders and Insiders (Hollinger
1997). An insider is someone who has been granted privileges authorizing use of
a particular system or facility (Neumann 1999). However, the term ‘insiders’
might encompass a broader category of persons covering those with legitimate
access to the computer systems but who use those systems for wrongful purposes
or when they have exceeded their legitimate level or degree of authority within
the
systems. They include not only employees
(current, former or temporary) of the computer owner but also persons with
authorized access to another system to which that system is connected and
persons providing software (e.g. suppliers) and maintenance services to the
systems (e.g. consultant or independent contractors) (Hamin 2000).
Despite the increase in the threat to computer
systems from external hackers, particularly via the Internet, insiders provide
the other likely source of threat, which suggest that there is a general trend
of increasing in harm both from outside of an organization as well as from within
(Hamin 2000). Insiders typically exceed authorized access while committing a
computer related crime, while outsiders obtained purely unauthorized
access. The insiders/outsiders
distinction is relevant because the person’s method of entry and type of misuse
will often determine whether the law will come into place (Hollinger 1997).
Usually,
companies put more attention and effort in developing security control for
external threats, theft, and attacks only, while in the inside nothing has been
implemented. This means that they are
protecting their companies too much from the outsiders forgetting almost
completely from the insiders. A reason
for this is because they might trust their employees more than any other person
from the outside. Companies might
say that outsiders are the ones who want to destroy their records or steal
valuable information. But we should think about it, insiders
already have the information on hand, and we do not know who might betray the
organization. As insiders, they are in an advantageous position as they may be
familiar with the operation of the employers' computer systems thus making it
easier for them to misuse the systems, or they may uncover certain flaws in the
computer systems or gaps in the controls which monitor their activities (Hamin
2000).
They are
the employees who, either out of carelessness or malice, leave digital assets
open to exploitation (Chen 2002). Employees are the ones who can give outsiders
access to this information, or even get it for their personal use or
advantage. The most costly sources of
insider attack seem to be executives, people that use application programs,
programmers, and other employees (Cohen 1995).
According to Fred Avolio, in his article called “When Access Control
Goes Bad”, he says that “we can break down the problem into three areas. First, while we may have fairly good external
controls, our internal data access controls are usually poor to
nonexistent. Too often we rely on
physical access control only. Second,
and again, while our external network gateways and systems (web servers, mail
gateways, and firewalls) are usually closely watched, inside machines often are
not. Finally, we may run intrusion detection on our service networks (DMZs)
looking for suspicious activities, but may not be as thorough on the inside
(Avolio 2001).
An insider can be called a
“proprietor.” According to Eric D.
Shawn, a “proprietor” is “a person who has grown so attached to his information
technology system that he feels like he personally owns it and would do
anything to defend his control over it” (Shaw 2001). These type of employees can
cause harm to the entire company and we must know how to identity them. There are several characteristics and signs
to identify a proprietor (see table 1).
Employees and Computer Crimes
There are four broad categories
of computer crime that insiders can use: Sabotage,
theft of services, property crimes, and financial crimes. Sabotage, this type of computer crime
is usually, though not exclusively, directed against the computer hardware and
software causing extensive damage. For
example, a fired employee can walk through a data storage area with an
electromagnet, erasing valuable company records. Theft of services are when employees
gain unauthorized access to a time-sharing system that does not require regular
changing of access codes. Property
crimes involve theft of computer equipment itself (Ermann 1990). Stolen
merchandise being debited from computerized inventory records, payments
authorized to fictitious vendors, and salary checks mailed to nonexistent
employees..(Harper 1998). Financial Crimes are considered one
of the most serious crimes, in terms of monetary loss. A common method involves checks, an employee
familiar with a firms operations can cause multiple checks to be made out to
the same person, or juggling confidential information within a computer, both
personal and corporate, to alter it (Ermann 1990). Other cyber crimes include data “diddling”
(false data entry), virus attacks and password “sniffing” (automated guessing
of phone numbers, user IDs and passwords) (Trembly 1999).
There are many cases where
insiders through the past years have been a major source of IT security threat,
and they have caused many companies to go bankrupt or have millionaire looses.
(See table 2). With the expanding array
of content on the Internet, the temptation to spend time surfing becomes ever
stronger for employees . . . employees’ use of chatrooms, newsgroups and
company e-mail during working hours could expose a company to liability under a
defamation claim… Employees using the company’s systems could also compromise
the company’s proprietary information and trade secrets and permit computer
viruses to invade and destroy the computer system, costing millions of dollars
in lost productivity (Zall 2001).
It
is easier for computers to get infected with viruses if employees are not
cautious, or if they willingly spread the viruses to their businesses computers. By definition, a virus is a piece of code that
is loaded onto your computer and runs without your consent. They go by names
like Melissa, LoveLetter, Gokar Worm, Disemboweler and Klez. While some viruses are benign, others can be
quite nasty, destroying your computer's hard drive, erasing everything on
it. At present time, there are more than
30,000 known strains of computer viruses (Little 2002). Almost as big a problem as viruses
themselves are virus hoaxes. A virus hoax is typically a “chain letter” e-mail
that encourages you to forward the message on to all of your contacts (Little
2002).
Companies
should be prepared to prevent catastrophic results, and should always be
looking for any strange symptoms. Also,
they should invest in some virus detection software (Little 2002). Businesses
need to know as much as possible about abuse and misuse of computers to
effectively protect their information.
Handling
Employee Threat
The first action that should be
taken to prevent from an employee threat should begin before hiring an employee
by doing a background check of that person. When employees are hired companies
should make sure that new employees understand all the policies regarding
security issues in the company. If employees are detected misusing information
they should be penalized for doing so. Employers can take several actions as
dismissal, if it is too serious they can fire them, or they can take the case
to court. Let us take a closer look at
these issues.
Background Check
Whether
employees are hired or promoted for a job should depend on the information
gathered by the employer in a background check. Employers should use it to
verify the accuracy of information provided by jobseekers. Background reports
may also uncover information left out of the application or interview. Today, more employers are being sued for
"negligent hiring" for not checking carefully enough into the
background of a potential employee . . . That is one reason more background
checks are being conducted. The
"information age" also accounts for the increase in background
checks-the availability of computer databases containing millions of records of
personal data. As the cost of searching these sources drops, employers are
finding it more feasible to conduct background checks (Privacy Rights
Clearinghouse 2000).
It is very important to be
proactive and protect your company with a direct IT policy (Tarabulski 2001).
The majority of businesses do not have adequate processes in place to manage
risk to operating systems. And they do
not have IT policies in place to protect themselves from errant and devious
employees (Tarabulski 2001). As Mr. Ehrenreich said in the article, “Cyber
Crime means billions of looses”, Countermeasures to stem possible attacks start
with establishing policies about who has access to what information. There should be specific language in the
employee handbook regarding software piracy and other security issues. He also recommended periodic password changes
for employees (Trembly 1999). Companies
should create security and privacy policies
procedures and penalties in advance to reduce threats and risk.
Firing an Employee
There are several risks of firing
an employee who is stealing or misusing information. That risk is worst if that employee is a proprietor as described above, since firing
him/her can cause harm to the company.
Companies might not find adequate replacement, the person can withhold
information vital to transition, they can start sabotage, espionage, or cause a
loss of intellectual property before or after departure, or it can cause a loss
of other vital staff. Sometimes it is better to investigate that person’s life
and try to find out what is the problem with them. Maybe like this, the situation can be solved
in a way that can help the company and the employee (Shaw 2001). According to Shaw, in the article “The
Insider Problem To Fire, or Not to Fire?”, the challenge in dealing with
proprietors, is developing a sufficient understanding of the employee and
his/her organization to chart a course of action that can resolve a difficult
situation without causing a major disruption to operations and security (Shaw
2001).
If the employee is terminated,
you should immediately change all passwords, check the former employee’s recent
log files to determine their administrative activities and also take a great
pain to safeguard those files from tapering (Harper 1998). Another solution is to have more control on the
secure information . . . After we categorize the data and systems on our
network, we can assign the proper access based on job responsibility and the
“need to know.” Rather than an “all or
nothing” access scheme, individuals are granted access to only what they need
to access (Avolio 2001).
Taking the Case to
Court
Sometimes it is necessary to take the case to court. According to Genestski, a former prosecutor for the U.S. Department of justice, when you go to court to prosecute a case of insider abuse, it is important to be able to point to clear policies when the court asks how you normally handle these cases. In all cases of alleged insider wrong doing, the linchpin of determining criminal liability is whether the activity in question was authorized. Therefore, policies need to be created that spell out specific terms of acceptable use of company systems and security requirements for employees, customers and even contract workers. (Verton 2001).
There are
cases when organizations do not want to take these types criminal cases to
court for several reasons. The problem
of ascertainment of insider threats could be due to the unawareness of the
organization of any compromise on their system or their reluctance to admit
that they have been a victim of insider attack, or reluctance to report known
breaches for various reasons. One of these reasons is the corporate fear that
negative publicity of insider misuse might impact on their commercial
reputation or market share. On the other
hand, organizations might favor civil remedies rather than criminal
prosecutions or they might find it easier to claim for looses from such misuse
through insurance or by simply passing the costs directly to their customers
(Hamin 2000).
The Law and the Internet
Employees can commit many
security threats trough the use of the Internet. For this reason both the federal government
and all 50 states have enacted laws which make it a crime to misuse or tamper
with computer systems. It makes little
difference under the statutes whether an employee has authorization to access a
system. Both federal and state computer
crime laws provide for criminal sanctions against any individual that alters,
destroys, or otherwise abuses a computer system. These laws will come into play if the
employee were to:
Ø
Gain unauthorized access to financial, medical,
or personnel records, stored in a computer system.
Ø
Make use of the Internet as a vehicle in
furtherance of an unlawful act; authorized access would not constitute a valid
defence.
Ø
Employ the Internet to transmit programs, data,
codes or commands, with the objective of damaging or impeding the operations of
a computer system.
Ø
Transmit data, codes, or programs over the
Internet for the purpose of modifying or deleting financial or medical
data.
Ø
Knowingly and with the intent to defraud, use
the Internet to traffic in computer passwords and credit card numbers.
Under the
existing computer crime legislation, any individual or business that falls
victim to Internet related abuse can sue both the culprit employee and his/her
employer. Ignorance by the employer is
not a suitable defence. The employer
will have to demonstrate that it took adequate steps to prevent these abuses
(written policies on proper employee use of the Internet (Bequai 1998).
As in other cases, policies should be enforced to clarify the actions
that can be taken with the employee in case they misuse the Internet. (See
table 3).
Information Technology
Security Solutions
There are
three central goals in computer security:
Confidentiality. Protection of data so
that is not disclosed in an unauthorized fashion.
Integrity. Protection against
unauthorized modifications to data.
Availability. Protection from unauthorized attempts to withhold information or computer resources. (Escamilla 1998).
In order for
companies to remain in business, they should secure their information technology
possessions assets (Klein ). Frederick B. Cohen affirms that it is prudent to
take additional measures to prevent, detect, and respond to insider attack
(Cohen 1995). Some managers are
tackling this threat by requiring firewalls on all desktops and laptops
computers, both inside and outside the corporate LAN (Radcliff 2001). Companies can implement careful employee screenings,
. . . test systems regularly and conduct surprise audits. Letting staffers know
that prevention is in place can discourage employee fraud (Genn 2001).
Employee Monitoring
Even though employees might seem honest, it is
better for businesses to monitor them, this way they can see if there is
something strange going on, or if insiders are looking to information that they
are not supposed to. Monitoring employee
behavior is important for determining how well its workers are conforming to
the desired ‘code of conduct’, and to deal with any deviations before they
become serious (Dhillon 2001). When
there is evidence of a misconduct or misuse of information, monitoring or
investigation of this situation should be followed. Visible cameras in place,
even those that are inoperative, can be deterrent enough to prevent theft of
actual goods (Genn 2001).
Computer
Monitoring
Another way to keep track of what employees are doing is to monitor computers, by installing different software to detect any strange behavior employees might have. Owners can monitor computer usage as well and utilize firewalls to limit access (Genn 2001). As mentioned in the article “Employee Monitoring: Is there Privacy in the Workplace”, there are several types of computer monitoring. Employers can use computer software that enables them to see what is on the screen or stored in the employees’ computer terminals and hard disks (Privacy Rights Clearinghouse 2001). Such programs allow owners to know who is using a program and when (Genn 2001). People involved in intensive word-processing and data entry jobs may be subject to keystroke monitoring. Such systems tell the manager how many keystrokes per hour each employee is performing, . . .and they can see if they are above or below the standard number of keystrokes expected. Another computer monitoring technique allows employers to keep track of the amount of time an employee spends away from the computer or idle time at the terminal (Privacy Rights Clearinghouse 2001).
Intrusion Detection Systems
There is a
big problem trying to find anomalies or strange behaviors, since many times
employees have the right to look to this information, and there is nothing
abnormal apparently going on (Avolio 2001). For these reasons,
businesses can install different software or systems to monitor or detect
intrusion.
There are
intrusion detection systems that are usually classified as host-based or
network-based. Host-based systems base their decisions on information obtained
from a single host (usually audit trails), while network–based systems obtain
data by monitoring the traffic in the network to which the hosts are connected (Kerschbaud
2002). A network-based intrusion
detection system can be used to look for anomalous behavior. A Host-based intrusion detection can look for
suspicious or unauthorized access activity
(Avolio 2001). Both host-based and
network-based data collections have been widely used in intrusion detection
systems.
In recent year, an increasing number of
intrusion detection systems have started to use both host-based and
network-based components in an attempt to obtain the most complete view of the
hosts being monitored (Kerschbaud 2002).
They are host-based monitoring methods.
These systems are external and internal sensors. An external sensor is piece of software that
observes a component (hardware or software) in a host and reports data usable
by an intrusion detection system, and that is implemented by code separate from that component. The difference from an internal sensor is
that it is implemented by code incorporated into
that component (Kerschbaud 2002).
Employee Training
Also, to reduce the risks and costs associated with
the electronic storage of proprietary and confidential data, supervisors and
peers must be trained to be alert to new types of at-risk characteristics and
behaviors linked to insider alienation (Shaw 2000). Businesses can hire
different IT security professionals. These
professionals can actually educate their clients to be proactive instead of
reactive and to recognize the signature of security threats when they can occur
(Klein).
Some of these organizations are Computer
Security Institute (CSI), The Computer emergency Response team, and the The
Information Security Systems Securiity Assn (Harper 1999). Security experts say that companies should
take the measures to guard against the internal threat to sensitive systems
(Verton 2001). (See table 4).
Conclusion
Companies
depend on Information Technology to handle their business efficiently. Along with this new technology come new
security issues, since it is easier for employees to misuse this technology. Employee threat is greater from the inside
than threat from the outside, and organizations should try not to ignore it,
but to minimize it. This insider misconduct can be intentional or accidental,
but since it is not easy to distinguish, its better to take action before
anything can happen. Employees can turn to be a company’s worst enemy and
betray the organization leaving the organization with millionaire losses. For business to stop this threat they need
to take a combination of steps, since doing only one will not be enough. For example, businesses need to adopt
internal controls and new policies for computer and Internet usage. Also, they need to enforce these policies
regarding any misuse of computer information so employees would not take
advantage of them. Businesses need to be
constantly looking for any type of attack, take action with employees who break
the rules, monitor employees and computers, and install new internal security
software. By using all these methods, businesses will be
in alert and, in many cases, they will be proactive and take action before they
can have an attack. Hopefully, adopting
these recommendations would help many of these companies overcome the insider’s
fraud.
IDENTIFYING THE PROPRIETOR
1. Feels he "owns"
the system
2. Feels entitled to special
privileges & exceptions to the rules
3. Won't delegate any vital
responsibilities
4. Encourages customer
dependency on him only
5. Denies others information
and access, and refuses to document vital codes and processes
6. Fights when his control is
threatened, including making threats of violence
7. Encourages "us vs.
them" culture with staff
8. Contributes to staff
turnover by hindering others' upward mobility
SIGNS OF
PROPRIETOR/SUPERVISOR
1. "Co-dependency"
2. Supervisor's dependency on
employee has increased to point where the supervisor is largely ignorant of
technical aspects of the employee's area
3. Employee regularly forces
supervisor to consider exceptions to policies and practices on his behalf
4. Employee ignores
supervisor's directives without significant consequences
5. Employee makes supervisor
feels impotent
6. Supervisor feels constrained
by employee's allies
7.
Supervisor
has no "backup" should employee stop producing
Insider-Damage Assessment
A chronology of
high-profile internal IT security breaches:
*1985 A brokerage firm clerk alters computer records and changes the ownership
and price of 1,700 shares of Loren Industries stock.
*1989 A former employee of Southeastern Color Lithographers Inc. destroys
billing and account information worth $400,000.
*1996 A computer operator at Reuters Group PLC in
*1997 A temporary employee working as a computer technician at Forbes magazine
is charged with crashing the company's network and causing more than $100,000
in damage.
*1998 A disgruntled programmer at defense contractor Omega Engineering Corp.
sets off a digital bomb, destroying $10 million in data.
*2001 Robert Hanssen, a career FBI agent with access to counter intelligence
databases, is charged with spying for
~~~~~~~~By Dan Verton
Table 3 (Bequai 1998)
Enforcement of Policies (Internet)
v
Written Warnings- these should be issued to any
employee who violate company policies governing use of the Internet. Repeat offenders should be dealt with
sternly.
v
Discharge- the more serious abuses, call for
immediate discharge. Anything short of
that , could expose the employer to legal sanction.
v
Restitution- An employee who causes his/her
employer any financial injury, should be required to make restitution. Such actions will serve to demonstrate to the
authorities and the courts, that the employer is serious in its effort to curb
abuses of the Internet.
Table 4
Measures to guard
against the internal threat to sensitive systems:
* Develop training and education programs for all employees.
* Conduct background investigations on employees and contractors who have
access to sensitive systems.
* Classify corporate information, and control employees' access based on their
need to know or role.
* Segment networks, where possible.
* Deploy monitoring tools with automated alert mechanisms.
* Demand that trading partners and service providers inform you of the security
protections in place at their facilities.
* Control physical access to buildings and offices; automate the logging of
physical access and integrate it with network-access
monitoring.
By Dan Verton
************************************************************************
Bequai, August. “Employee Abuses in Cyberspace: Management’s Legal
Quagmire,” Computers and Security, 1998, Vol. 17 Issue 8, p.667.--
Chen, Anne. “Watching your back”, eWeek Vol.19 no3, Jan 2002, p.37-8.
Cohen,
Dhillon, Gurpreet, Steve Moores. “Computer Crimes: Theorizing About the Enemy Within,” Computer
and Security, Vol.20, No.8, p.715.
Ermann,
M. David, et. al. (1990). “Computers,
Ethics, and Society,” New York, Oxford University Press, Inc. p.346-340.
Hamin, Zaiton. “Insider Cyber-threats: Problems and Perspectives,”
International Review of Law, Computers & Technology, Mar2000, Vol.14 Issue
1, p105-113. --
Harper, Doug. “Is Your
Technology Secure?,” Industrial Distribution V.87 no4, May 1998, p.96.
Hollinger,
Richard. (1997). “Crime, Deviance and the Computer,”
Kerschbaum, Florian. “Using
internal sensors and embedded detectors for intrusion detection,” Journal of
Computer Security, 2002, Vol.10 Issue ½, p.23.
Little, Matthew. “Virus,” Products Finishing, Jun
2002, Vol. 66 Issue 9, p10. --
Newmann, Peter G. “Risks
of Insiders,” Communication of the ACM, Dec 1999, Vol.42 Issue 12, p.160 --
Power, Richard. “Computer
Security Issues and Trends,” 2002 CSI/FBI Computer Crime and Security Survey, Vol. Vlll, No.1, Spring 2002.
Privacy Rights
Clearinghouse. “Employee Monitoring: Is there Privacy in the Workplace,” April 2001,
www.privacyrights.org/fs/fs7-work.htm--
Privacy Rights
Clearinghouse. “Employment Background Checks: A Jobseeker's Guide,” August
2000, http://www.privacyrights.org/fs/fs16-bck.htm
Radcliff, Deborah.
“Firewalls Reach Out”, Computerworld ( Vol )64-65 35, no. 13, Mar 2001, p.64.
Tarabulski, Noelle. “Security Alert”, Professional
Builder, Vol.66 Issue 4, Apr. 2001,
p.221, 3p, 1c.
Trembly,Ara.
“Cyber crime means billions in losses,”
National Underwriter
(Life/Health/Financial Services), Vol.103 n27. July, 1999, p.37.
Verton,
Dan. “Analysts: Insiders May Pose Security Threat,” Computerworld, Vol.35 Issue
42, Oct.2001, p6, 3/4p.
Verton,
Dan. “Experts, users strategize on
security at crime summit,” Computerworld 20 35, no.11, Mar 2001, p.20.
Ward, Mark. “Employees seen
as computers saboteurs,” BBC News Online technology Correspondent, April 2002,
p.1. news.bbc.co.uk/hi/english/sci/tech/newsid_1946000/1946368.stm
Zall, Milton. “Do you know
how your employees are using your computers?”, Office Solutions V.18 no3, Mar
2001, p.38-41.