%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% N.I.A. %% %% Network Information Access %% %% 02MAR90 %% %% Lord Kalkin %% %% File #3 %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% :_Computer Crimes/Fraud/Waste part 1 :_Written/Typed/Edited By: Lord Kalkin 1. COMPUTERS: CRIMES, CLUES, AND CONTROLS Introduction The Information Age has brought aboout dramatic improvements in way the Federal goverment does its job. For making descisions, more and better information is available more quickly to more people than ever before. Statistics computations that once took weeks, now takes minutes. And analyses that once required numerous programmers, a computer operator, and a large computer facility may now need only a nontechnical staff using software packages on desktop computers in their office. The General Service Administration estimates that Federal agencies will acquire half a million small computers by 1990. In FY 1984, federal expenditures for micro and desktop computers totaled $137 million. The comparable figure for FY 1983 was $34 million. And these statistics do not include computer terminals that are part of large computer systems or word processors--many of which can be used to store and manipulate data, as well as create graphics. The Office of Management and Budget(OMB) estimates that #13.9 billion was spent in FY 1985 to acquire, operate, and maintain Federal information technology systems. New management problems have accompanied the increase use of computers and automated technology. Terminals, often connected to computers that are networked together, can access vast quantities and different types of data. There are publicy voiced concerns about privacy of information and the risks associated with automating and making more accessable personal, proprietary, or other sensitive data. These are serious concerns about increased computer crimes, waste, and abuse which result in such costly problems as improper payments from govermant benifit programs and unnecessary equipment purchases. And there is the clear recongition that information is a resource to be protected. The responsibility for protecting information resides with the end user manager. This responsibility is acknowledged in OMB circular A-130, MANAGEMENT OF FEDERAL INFORMATION RESOURCES: "Agencies shall make the official whose program an information system supports responisble and accountable for the products of that system..." "Because end user computing places management of information in the hands of the individual agency personnel rather than in a central automatic data processing organization, the Circular requires that the agencies train end users in their responsibilities for the safeguarding information" This document is designed to provide information security awareness training for the end user manager. Security awareness training acquaints systems, controls, and techniques that enhance information security and with resources available for additional information. "YOU'VE GOT TO CONSIDER YIELD. IT'S $19,000 PER BANK ROBBERY AND $560,000 PER COMPUTER CRIME!" Computer crime is a growth industry -- and so are computer waste and abuse. Some estimates peg the increase of computer crime at 35 percent annually and the cost $3.5 billion. One obvious reason is the potential payoff: the average computer crime yields an estimated $560,000; the average bank robbery, $19,000. The computer criminal is less likely to get caught than the bank robber -- and less likely to get convicted if caught. Estimates of detected computer crimes are as low as 1 percent. And the liklihood of a criminal conviction for computer fraud is less than 1 in 10. Deliberate computer crime is a significant part of the picture. But wasteful and abusive practices, accidents and errors are an even larger part. In the succint words of one noted expert, " We bumble away far more computer $s than we could ever steal." Those bumble dollars -- combined with the estimate of $3.5 billion annual cost of computer crime -- underscore the scopes and seriousness of computer related losses. A major contributor to computer related loss is the lack of security awareness. Security awareness can stop accidents and errors, promote adequate information security controls, prevent and detect the wouldbe computer criminal. End User awareness of securtiy controls provides four levels of protection for computers and information resources: SECURITY CONTROLS: FOUR LEVELS OF PROTECTION Prevention -- Restricts access to information and technology to authorized personal only; Detection -- Provides for early discovery of crimes and abuses if prevention mechanisms are circumvented; Limitation -- Resticts lossess if crime occurs despite prevention abd detection controls; and Recovery -- Provides for efficient information recovery through fully documented and test contigency plans. Yesterday, managing technology was the technical manager's concer. Today, managing information is every nontechnical end user manager's concern. Managing information requires new knowledge and new awareness by a new group of nontechnical employees. Good information management requires recongizing opportunities for computer crime and waste so that steps can be taken to prevent their occurrence. When Computers were first introduced, few were available and only a small number of persons were trained to use them. Computers were usually housed in seperate, large areas far removed from programm managers, analysts, economists, and statisticians. Today that is changed. Word processors, computer terminals, and desktop computers are as common equipment. This electronic equipment is rapidly becoming increasingly user-friendly so that many people can quickly and easily learn how-to use it. Employees with access to computer equipment and automated information are greatly increasing throughput the organizational hierachy. The GS-4 secretary, the GS-9 budget analyst, the GS-12 program analyst, the GS-13 statician, the GM-14 economist, and the Senior Executive Service Manager may have all the access to a computer terminal or word processor and the information it contains. No longer is information restricted to select few at the highest levels of an organization. This phenomenon has led computer crime to be called the "democratization of crime." As more people gain access to automated information and equipment, the opportunities for crime, waste, and abuse likewise increase. It's Difficult to Generalize, But... - Functional end user, not the tecnical type and not a hacker - holds a non-supervisory position - no prevoius criminal record. - bright, motivated, desirable employee - works long hours; may take few vacations - Not sophisticated in computer use - The last person YOU would suspect - Just the person YOU would want to hire THE COMPUTER CROOK CAN BE ANYONE The typical computer crook is not the precocious hacker who uses a telephone and home computer to gain access to major computer systems. The typical computer crook is an employee who is a legitimate and nontechnical end user of the system. Nationally, employee-committed crime, waste, and abuse account for an estimated 70 to 80 percent of the annual loss related to computers. Dishonest and disgruntled employees cause an estimated 20 percent of the total computer system related loss. And they do so for a variety of reasons. WHY PEOPLE COMMIT COMPUTER CRIME - Personal or Financial gain - Entertainment - Revenge - Personal Favor - Beat the system, Challenge - Accident - Vandalism But a significantly lager dollar amount, about 60 percent of the total computer-related loss, is caused by employees through human errors and accidents. Preventing computer losses, whether the result of debliberately committed crimes or unknowingly caused waste, requires security knowledge and security awareness. A recent survey reported that observant employees were the primary means of detecting computer crime. CLUES TO COMPUTER CRIME ABUSE Be on the look out for... - Unauthorized use of computer time - Unauthorized use of or attempts to access data files - Theft of computer supplies - Theft of computer software - Theft of computer hardware - Physical damage to hardware - Data or software destruction - Unauthorized possession of computer disks, tapes or printouts. This is a beginning list of the kinds of clues to look for in detecting computer crime, waste, and abuse. Sometimes clues suggest that a crime has been committed or an abusive practice has occured. Clues can also highlight systemn vunerabilities -- identify where loopholes exist -- and help identify changes that should be made. Whereas clues can help detect crime and abuse, conrols can help prevent them. Controls are management-initiated safeguards -- policies or administrative procedures, hardware devices or software additions -- the primary mission of which is to prevent crime and abuse by not allowing them to occur. Controls can also serve a limitation function by restricting the losses should a crime or abuse occur. This document addresses information security into three areas: Information Secrurity, Physical Security, and personnel security. In each area, crimes, clues, and controls are discussed. In these areas not only frauds, but abuses and waste are addressed. The final chapters provide a plan of action and cite availably security resources. N.I.A. - Ignorance, There's No Excuse. Founded By: Guardian Of Time/Judge Dredd. [OTHER WORLD BBS]