We all depend on
Information Technology Systems in our daily lives, telephone systems, cable
systems, electrical power grid, much of our transportation and delivery systems,
and almost every other element of our National Information Infrastructure (Cohen
57). The dependencies we once had
on other people and ourselves shift toward dependencies on these new
technologies (p.18), as Frederick B. Cohen says in his book “Protection and
security on the information superhighway”.
Businesses use a lot of this information technology to handle all the
work they have to do. Computers now
play an important role in every type of business. As we continue to barrel through the
information age, it is hard to imagine conducting business without computers.
Each day, millions of people working in offices and homes around the world
depend on computer technology to do their jobs efficiently and economically
(12).
Information technology has produced substantial benefits for all of
us. However this benefits lies
disadvantages that computers and computer systems are vulnerable to all manner
of misuse. The consequences of such
misuse may be very serious (Hollinger 348). Computers,
which are part of this technology, have little or no protection, and
interconnected computers are generally wide open to accidental or malicious
disruption. In addition, these computers have a vast of important and
delicate information that cannot be shared to anyone, so companies must protect
their businesses from intruders.
Nowadays
organizations have to protect their businesses from many people who can cause
them to have millionaire looses.
For example, vendors and businesses associates seeking leverage, hackers
or crackers seeking a thrill, cyberpyrates seeking profits and information,
employees seeking knowledge and power, ex-employees seeking revenge or
competitors seeking to destroy them (information technology Security Solutions
(Klein 1). For these and many other reasons they
should be in alert of anything that can happen within their organizations 24
hours a day, because it is better to prevent than to lament.
Employees
are the ones who have legal access to all this information, and it is easier for
them to obtain secure information.
There is a “Computer Crime and Security Survey" done yearly by the United
States FBI and Computer Security Institute. This is conducted by CSI with the
participation of the
San
Francisco
Federal Bureau of Investigation's (FBI) Computer Intrusion Squad. This survey is based on responses from
503 computer security practitioners in
There
are two classes of computer criminals in any business: Outsiders and Insiders.
Insiders typically exceed authorized access while committing a computer related
crime, while outsiders obtained purely unauthorized access. The insiders/outsiders distinction is
relevant because the person’s method of entry and type of misuse will often
determine whether the law will come into place (Hollinger 350). Usually, companies put more attention
and effort in developing security control for external threats, theft, and
attacks only, while in the inside nothing has been implemented. This means that they are protecting
their companies too much from the outsiders forgetting almost completely from
the insiders, who can turn out to be their worst enemies. A reason for this is because they might
trust their employees more than any other person from the outside. From one point of view it is reasonable
to think that way, just by looking at statistics found in this survey, “Forty
percent of the respondents detected system penetration from the outside” (CSI
1). Many people might say that outsiders
are the ones who want to destroy their records or steal valuable
information. But lets think about it, insiders already
have the information on hand, and we do not know who might betray the
organization. Employees are the ones who can give outsiders access to this
information, or even get it for their personal use or advantage. Businesses may assume that they are
their best allied when in fact they can be their worst enemies. The most costly sources of insider
attack seem to be executives, people that use application programs, programmers,
and other employees (Cohen 57).
According to Fred Avolio, in his article called “When Access Control Goes
Bad”, he says that “we can break down the problem into three areas. First, while we may have fairly good
external controls, our internal data access controls are usually poor to
nonexistent. Too often we rely on
physical access control only.
Second, and again, while our external network gateways and systems (web
servers, mail gateways, and firewalls) are usually closely watched, inside
machines often are not. Finally, we may run intrusion detection on our service
networks (DMZs) looking for suspicious activities, but may not be as thorough on
the inside (Avolio 1).
Now,
there is a type of insider who is called “proprietor.” According to Eric D. Shawn, a
“proprietor” is “a person who has grown so attached to his information
technology system that he feels like he personally owns it and would do anything
to defend his control over it” (Shaw 1).
This type of employees can cause harm to the entire company and we
must know how to identity them.
There are several characteristics and signs to identify a proprietor (see
table 1).
EMPLOYEES
AND COMPUTER CRIMES
There
are four broad categories of computer crime that insiders can use: Sabotage,
theft of services, property crimes, and financial crimes. A sabotage is a crime that goes against
the computer hardware and software causing extensive damage. For example, a dissatisfied employee can
walk through a data storage area with an electromagnet, erasing valuable company
records. Theft of services are when employees
gain unauthorized access to a time-sharing system that does not require regular
changing of access codes. Property crimes involve theft of
computer equipment itself. Also,
they can create dummy account causing orders to an accomplice outside the
organization. Financial Crimes are
considered one of the most serious crimes, in terms of monetary loss. A common method involves checks, an
employee familiar with a firms operations can cause multiple checks to be made
out to the same person, or juggling confidential information within a computer,
both personal and corporate, to alter it (Ermann 346-340)
When
employees are detected misusing information they should be penalized for doing
so. Employers can take several
actions as dismissal, if it is to serious they can take the case to court or
they can fire them. The issue here,
is which of these actions they should take or if anything similar should be done
about it.
There
are several risks of firing an employee who is stealing or misusing
information. That risk is worst if
that employee is a proprietor, since firing him/her can cause harm to the
company. Companies might not find
adequate replacement, the person can withhold information vital to transition,
they can start a sabotage, espionage, or cause a loss of intellectual property
before or after departure, or it can cause a loss of other vital staff.
Sometimes it is better to investigate that person’s life and try to find out
what is the problem with them.
Maybe like this, the situation can be solved in a way that can help the
company and the employee. According
to Shawn, in the article “The Insider Problem To Fire, or Not to Fire?”, the
challenge in dealing with proprietors, is developing a sufficient understanding
of the employee and his/her organization to chart a course of action that can
resolve a difficult situation without causing a major disruption to operations
and security (Shawn 2).
Another solution is to
have more control on the secure information. …After we categorize the data and
systems on our network, we can assign the proper access based on job
responsibility and the “need to know.”
Rather than an “all or nothing” access scheme, individuals are granted
access to only what they need to access (Avolio).
INFORMATION
TECHNOLOGY SECURITY SOLUTIONS
There
are three central goals in computer security : Confidentiality which means the
protection of data so that is not disclosed in an unauthorized fashion.
Integrity meaning protection against unauthorized modifications of
data and availability or the protection from unauthorized
attempts to withhold information or computer resources. (Escamilla 5). In order for companies to remain in
business, they should secure their information technology possessions assets
(klein 1). Frederick B. Cohen
affirms that it is prudent to take additional measures to prevent, detect, and
respond to insider attack (Cohen 57).
They should carefully adapt security awareness programs among the most
important prevention, monitoring and detection tools available (Shaw art.2,3).
IBM suggests creating security and privacy blueprint
developing policies procedures and penalties in advance to
reduce threats and risk. Actively
check security and privacy controls, including mechanisms used
by hardware and software systems, networks, databases, and human resource
systems (Strothman 1).
Eventhough
employees might seem honest, it is better for businesses to monitor their
employees, this way they can see if there is something strange going on, or if
they are looking to information that they are not supposed to. When there is evidence of a misconduct
or misuse of information, monitoring or investigation of this situation should
be followed. Also, they should monitor computers by installing different
software to detect any strange behavior employees might
have.***
There
is a big problem trying to find anomalies or strange behaviors, since many times
employees have the right to look to this information, and there is nothing
abnormal apparently going on. For
these reasons, businesses can configure a network-based intrusion detection
system to look for anomalous behavior.
Another choice is to install a Host-based intrusion detection that can
look for suspicious or unauthorized access activity (Avolio 2).
Also,
to reduce the risks and costs** associated with the electronic storage of
proprietary and confidential data, supervisors and peers must be trained to be
alert to new types of at-risk characteristics and behaviors linked to insider
alienation (Shaw art.2,3). Businesses can hire different IT security
professionals. This professionals
can actually educated their clients to be proactive instead of reactive and to
recognize the signature of security threats when they can occur* (Klein).
Some of these organizations are Computer Security Institute (CSI) and
Information Technology Security Solutions (CSI,
klein).
2.Cohen,
4.Ermann,
M. David, et. al. (1990). Computers, Ethics, and Society. Oxford University Press,
Inc.
5.Hollinger,
Richard. (1997). Crime, Deviance and the Computer.
6.Kelly
Michael. www.texomamanagement.com/PreEmploymentScreening.htm
8.Shaw,
Eric. (2000). http://www.infosecuritymag.com/articles/january01/features4.shtml
10.Strothman,
Jim.
http://www.isa.org/Content/ContentGroups/Industrial_Computing1/Features2/200221/April14/Plugging_network_holes.htm
11.Ward,
Mark.(2002).
news.bbc.co.uk/hi/english/sci/tech/newsid_1946000/1946368.stm
12.
Carbons to Computers.
educate.si.edu/scitech/carbons/computers.html