[Home] [E-Mail Services] [Internet Services] [Some Cloak and Dagger Links] [Research Index]
|Investigation Tool: Knowledge|
Computer Crime Page 6 of 7:
A. Security in the electronic data-processing environment
186. Society increasingly relies on automated systems to carry out many essential functions in day-to-day life. If these systems are to be depended upon, it is essential that the persons responsible for their operation recognize the vulnerabilities to which they are subject and take steps to implement appropriate safeguards.
187. An EDP system can be considered as a group of assets of varying sensitivity related to the maintenance of tree basic requirements: confidentiality, integrity and availability.
188. EDP security, while a relatively recent discipline, is subject to a variety of interpretations. Historically, security measures have been applied to the protection of classified information from the threat of disclosure in a national security context. Recently, much attention has been directed to the issue of individual privacy as it relates to personal information stored in computerized data systems. Another consideration is data integrity in financial, scientific and process control applications. The security of computer installations themselves is of great concern to many organizations, owing to the significant financial investment involved.
189. Since all of these interpretations of EDP security may have significance to different users, a practical definition is needed to account for the wide range of concerns. For the purpose of this Manual, EDP security is defined as that state reached when automated systems, data and services are receiving appropriate protection against accidental and deliberate threats to confidentiality, integrity or availability.
190. Security, like insurance, is to a large extent applied risk management, defined as the attempt to archive a tolerable level of risk at the lowest possible cost. The goal is to reduce the risk exposure of the facility to an acceptable level, best achieved by a formal assessment of risk. This includes a number of components, such as the identification of EDP assets, values, threats and vulnerabilities and the financial impact of each threat-asset combination; estimation of the frequency of occurrence for each chosen threat-asset pair; and choice of safe-guards and implementation priorities for security measures. Safeguards should not only be cost-effective but should also provide a judicious balance between those designed to prevent threats, those to detect threats occurrences or security infractions and those to respond to the threats that inevitably occur. Risk analysis is a team function that must involve managers from user, application, systems and operations areas in the establishment of priorities and the allocation of funds for security measures. In some cases, where confidentiality is a specific concern, additional protection must be provided through the application of mandatory regulatory requirements. Government classified information is subject to such regulations.
191. Three general categories of assets in the computer environment can be targeted for protection, each posing a distinct protection problem given is unique sensitivities.
1. Software, data and information
192. Protection requirements for software, data and information are based on the need to preserve confidentiality, integrity and availability. Confidentiality, or the need to protect from disclosure, can be required because a system contains personal data, information proprietary to an organization or data related to national security. Even waste material may require protection up to the time of is destruction.
193. Software and data integrity are also requirements of all computer systems. Users of the system require assurance that unauthorized changes, deliberate or accidental, do not take place. The integrity of all software, utilities and applications must be above question, otherwise the results of manipulating the data will not be practicable.
194. To be of value, software and data must be available for use within an acceptable time-frame. The availability concern is important in both the long and short term. The properties of confidentiality, integrity and availability can also be applied to other information assets, such as system documentation, descriptive materials and procedural manuals, control forms, logs and records.
2. Data-processing services
195. In numerous cases the sensitivity of the information handled may not be as significant as the services performed. Service can be the most important asset requiring protection in cases where national security, the safety or livelihood of individual citizens, or essential services are dependent upon computer systems. Air traffic control, police information service, medical monitoring systems, electronic funds transfer systems and all services where processing is time-sensitive, in which availability is an important goal, are examples of this type of dependency.
3. Electronic data-processing equipment and facilities
196. The third category of assets requiring protection involves tangible property in the EDP environment, including computer equipment and supplies, the physical site facilities, machine rooms, media libraries, data preparation areas and terminal areas, as well as environmental services, such as power, air-conditioning and lightning.
197. Although these three categories represent the features of computer systems that security measures should arget, the current limitations of computer security technology equire that a much broader view of safe-guards be taken. omputer security is a weak-link phenomenon. To ensure that omplete protection is provided to EDP assets, other established ecurity areas, such as administrative, personnel, physical and ommunication-electronic security, must be taken into onsideration. There is little point in emphasizing sophisticated ystems features if more basic and perhaps more vulnerable areas re slighted. It also has been noted that, owing to the cost or navailability of technical features in computer systems, hysical or procedural safe-guards are sometimes practical lternatives.
C. Security measures
198. EDP security is considered to consist of seven essential components: administrative and organizational security; personnel security; physical security; communication-electronic security; hardware and software security; operations security; and contingency planning.
1. Administrative and organizational security
199. Administrative security involves the development of an overall security policy and the establishment of procedures for its implementation. While specific security administrative practices will vary considerably depending on the size and nature of the work performed by an organization, minimum requirements include the following:
The development of procedures to ensure that risks are identified;
The definition of individual security duties and the appropriate assignment of responsibilities;
The designation of restricted areas;
The establishment of authorization procedures;
The identification of external and contractual dependencies;
The preparation of contingency plans.
200. Second only to the necessity for the established policy and procedures for EDP security is the requirement for an effective organization to administer it. It is essential that senior management be aware of EDP security requirements and of the fact that a close working relationship must be cultivated between automated system management and the group responsible for overall security.
2. Personnel security
201. Personnel security includes specifying security requirements in job descriptions and ensuring that incumbents meet these requirements and are provided with adequate security motivation and training. It involves supervising access to and control over system resources through appropriate personnel identification and authorization measures. It further requires attention to hiring and employment termination procedures. External service or support personnel such as maintenance and cleaning staff or contract programmers who have unsupervised access to restricted areas should be subject to the same personnel security measures as regular employees.
3. Physical security
202. All EDP facilities should be provided with physical protection in order to ensure security commensurate with the sensitivity of the data being processed and the service being provided. The following factors should be borne in mind when physical security measures are chosen:
Site planning (e.g. location and layout, building construction, heating, lighting, fencing and shielding);
Control of access to restricted areas (e.g. perimeter security, visitor control, key and badge control, guard staffs and intrusion alarms)
Protection against physical damage (e.g. fire, flooding, explosion, wind, earthquake and physical attack);
Protection against power and environmental failures (e.g. air-conditioning, water-cooling, power-monitoring, un-interruptible power-sources and dust control);
Protection of EDP media and supplies (e.g. waste disposal, storage containers, transportation, postal procedures and packaging).
The close relationship between the physical, environmental and hardware aspects of EDP security makes coordination between computer system and traditional security staff essential, particularly during the planning and design stages of new systems and facilities.
4. Communications-electronic security
203. Telecommunication are almost invariably a fundamental component of automated systems, and their use has the effect of extending the geography of the security concern and of complicating service availability. As the communication facets multiply, so do the possibilities of crossed communication between lines, misrouting of information and the wire-tapping of, and monitoring of electromagnetic radiation from hardware. Some possible countermeasures for communications and electronic threats include electronic screening, filtering encryption and specially designed terminals. However, the inherent complexity of communications systems requires that each case be approached individually. As dependence on communications become greater, so too does the probability that the ability to provide the automated service could be lost because of a failure in the communication system.
5. Hardware and software security
204. Hardware security relates to those protective features implemented through the architectural characteristics of the data-processing equipment, as well as the support and control procedures necessary to maintain the operational integrity of those features.
205. Computer systems security features, whether implemented in hardware, software or micro-programmed firmware, can be addressed in five categories:
Identification mechanisms to identify authorized users;
Isolation features that ensure that users of the system are restricted from accessing devices, software and data to which they are not entitled;
Access control features that provide for selected sharing of system resources by removing or negating isolation measures for authorized cases;
Surveillance and detection measures, which assist in the detection of security violations, usually implemented by software;
Response techniques to counter the harm of security violations, such as redundant components and circuits, and error correction logic.
6. Operations security
206. Operations security relates to the policy and produces that are necessary to ensure that the required operational capability is always available and that security exposures within the environment are acceptable. Once an environment has been selected that presents minimal inherent weaknesses, the vulnerabilities within the environment should be reduced as much as is practicable. The most important step in this process is to ensure that responsibilities are clearly assigned. The concept of separation of duties and the concept of least privilege are helpful in this regard. In shared systems, the separation of duties concept means that no single individual can subvert controls on the system and the least privilege concept ensures that no one is granted a capability for which there is no well-substantiated operational necessity.
207. The considerations involved in establishing and maintaining an adequate security programme are, briefly, as follows:
Identification of the EDP assets (data, software, hardware, media, services and supplies) requiring protection;
Establishment of the value of each of the assets;
Identification of the threat associated with each of the assets;
Identification of the vulnerability of the EDP system to these threats;
Assessment of the risk exposure associated with each asset (probability of frequency of occurrence multiplied by impact of occurrence);
Selection and implementation of security measures;
Audit and refinement of the EDP security programme on a continuing basis.
208. It is generally recognized that absolute security is an unrealistic goal. An adversary with sufficient motivation, resources and ingenuity can compromise the most sophisticated security safeguards. An optimum security policy is one in which the cost of implementing protective mechanisms has been balanced against the reduction in risk achieved. Although security measures can be costly, experience has shown that adequate security is inexpensive compared to the potential consequence of failure to provide appropriate protection.
7. Contingency planning
209. Every EDP system has been developed to perform some type of service or to fulfill a role. The plans for achieving the goals associated with that role are, in most instances, based on normal operating conditions. However no amount of precautionary work can preclude the occurrence of situations that produce unexpected disruptions in routing operations. Contingency planning is therefore a basic requirement in the EDP security program, regardless of the sensitivity of the information processed or the size of the installation providing the service.
D. Law enforcement and legal training
210. The dynamic nature of computer technology, compounded by specific considerations and complications in applying traditional laws to this new technology, dictate that the law enforcement, legal and judicial communities must develop new skills to be able to respond adequately to the challenge presented by computer crime. The growing sophistication of telecommunications systems and the high level of expertise of many system operators complicate significantly the task of regulatory and legal intervention.
211. Familiarity with electronic complexity is slowly spreading among the general population. It is a time when young people are comfortable with a new technology that intimidates their elders. Parents, investigators, lawyers and judges often feel a comparative level of incompetence in relation to "complicated" computer technology. In their recent book, Hafner and Markhoff contend that society is in a transition, in terms of general familiarity with computers and their use. Training in this area and familiarity with the concepts behind complex computer techniques such as trojan horses and salami slices are required before law enforces can operate adequately.
212. Until recently, computer-related crime was concentrated in the economic environment. The law enforcement community responded by training existing commercial crime or fraud experts in the specialized area of computer crime investigation. However, modern experience indicates that computer crime has progressed far beyond the economic environment and is evident in many areas of traditional criminal activity. For example, drug traffickers can utilize data banks to organize transactions and store records of their contacts. Sex offends have utilized computer bulletin boards to identify potential victims. A coordinated and concentrated effort must be made to provide investigators, prosecution authorities and the courts with the necessary technical means and expertise to adequately and properly investigate all types of computer crime. To adopt this approach will require a dedication to efficient training.
213. Few individuals possessing the necessary blend of experience and technical understanding in computer technology are employed in law enforcement. Teaching computer techniques to individuals in all sectors of the justice system will promote an appreciation of the complexities that have arisen in this new area of enforcement and will foster consistency in the application of criminal sanctions and procedures. For example, traditional search and seizure techniques are conducted in an environment where the evidence being sought is visible or otherwise tangible. In the electronic environment, however, courts and investigators alike are often unsure how to apply traditional evidence procedures to intangible information. In addition, very few legislative or procedural guidelines exist. Proper training in clearly developed search and seizure techniques is required to ensure the preservation of evidence consistent with accepted principles of admissibility of evidence, while at the same time protecting the rights of all parties to the action.
214. An appropriate training programme would, therefore, impart a thorough understanding in five areas.
1. The difference between a civil and a criminal wrong
215. Since not all computer-related abuses may constitute a criminal offense, it is necessary to be able to differentiate between infringements of the civil law and the criminal law, as well as to determine what are merely social nuisances. This is important for the purposes of establishing liability and respecting the rights of citizens, and it also permits scarce police resources to be concentrated on and allocated to conduct that is truly deserving of the criminal sanction.
2. The technology
216. To address computer crime, most police departments are allocating a greater proportion of resources to their economic or fraud investigation divisions, since many types of computer crime occur in the course of business transactions or affect financial assets. Accordingly, it is important for investigators to know about business transactions and about the use of computer in business.
217. To be able to understand fully the potential for criminal exploitation of computer technology, regardless of whether it is business-related, investigators must have a thorough understanding of that technology. Experience has demonstrated that the assistance of technical experts is not sufficient. The ideal situation is to have investigators with not only solid criminal investigation backgrounds but also supplementary technical knowledge. This is similar to the traditional approach, where many police forces ensure that their fraud investigators, although not necessarily accountants, possess a thorough understanding of financial and business record-keeping.
218. By extension, the administrators of the criminal justice system must also ensure that those who fulfill the prosecutorial and judicial duties possess enough technical knowledge to be able to properly prosecute and adjudicate computer crimes.
3. Proper means of obtaining and preserving evidence and of presenting is before the courts
219. Investigators have always been expected to be well trained in obtaining evidence, maintaining its continuity and integrity and presenting it to the prosecutorial authorities in a manner such that it may be considered by the courts. These processes presented little difficulty when the evidence was tangible and detectable by human senses. Computer technology, however, has introduced new challenges to the gathering and preservation of evidence. Investigators must be able to search for, gather, analyze, maintain the continuity and integrity of, and present computer evidence for the purposes of judicial hearings. It must be done in a manner that is fair to the parties concerned and that does not risk damaging or modifying the original data. This requires a special knowledge of and the development of investigatory techniques that will be judicially acceptable. It also requires an understanding of the laws of evidence of the particular jurisdiction.
4. The intricacies of the international nature of the problem
220. National boundaries, which in the past may have hindered the activities of criminals, have effectively disappeared with the advent of modern telecommunications. In gathering evidence, investigators must be able to understand and deal with international issues, such as extradition and mutual assistance. The laws of evidence, criminal procedure and data protection of other jurisdictions must be considered when pursuing international investigations.
5. The rights and privileges of the accused and the victim
221. Investigators, prosecutors and others involved in the investigation and prosecution of computer crime must be fair to both the accused and the victim in order to ensure equitable application of the law. Additionally in dealing with international investigations, investigators should also understand the rights and privileges in the order jurisdiction to ensure the integrity and fairness of the investigation. Respect for the rights and privileges of all persons concerned will not only ensure the credibility of the investigators and others who present these matters before the courts, but it may also help to nstill confidence in the citizenry that the criminal justice ystem can adequately and fairly deal with the challenges posed y the computer criminal.
E. Victim cooperation in reporting computer crime
222. In paragraph 30, the term "dark figure" was briefly discussed. All studies in this area have indicated that the true extent of computer-related crime in unknown, since most crimes are either not detected or are not reported to the responsible authorities. The inability or reluctance of victims to identify incidents of computer crime must be addressed.
223. International studies have examined the relation behind this reluctance, evident particularly in the financial sector, to report computer crime. Loss of consumer confidence in a particular business and in its management can lead to even greater economic loss that that caused by the crime itself. In addition, many managers fear personal repercussion if responsibility for the infiltration is placed at their door. Victims have complained about the inconvenience of lengthy criminal investigations and indeed have questioned the ability of authorities to investigate the crime. These concerns, however, must be balanced by the equally important consideration that, in the absence of detection and sanction of crime, offenders will be encouraged to commit further computer-related crimes.
224. Without the cooperation of victims of computer crime, efforts to suppress computer crime, can be only partially effective. Reporting incidents of crime to authorities and society at large is necessary to discourage criminal behaviour. In response to the concerns of the business community regarding consumer confidence, it is suggested that an open, proactive approach to computer crime in fact would instill public confidence in a company's commitment to preventing and detecting crime and to protecting the interests of its investors.
225. The accurate reporting of computer crimes provides an additional benefit. The more information the law-enforcement community has on new trends in computer crime, the better it can adapt existing methods of detection to respond to them. The experience and knowledge of those responsible for investigating and processing computer crimes would be immeasurably broadened.
226. Methods to encourage victim openness have been discussed by the Select Committee of Experts on Computer-Related Crime. The report of that Committee detailed various possible strategies, ranging from legislating cooperation to creating an independent body that would provide advice and assistance to victims. While no definitive solution was chosen, there was a consensus that reporting of crimes would promote public confidence in the ability of the law-enforcement and judicial communities to detect, investigate and prevent compute-related crime.
F. Developing a computer ethic
227. In contrast to the science of computers, which has only existed in this century, other sciences and disciplines have had a longer time in which to develop the ethical standards and principles that inform new developments. Codes of ethics in medicine, accounting, law and engineering, for example, are well established and a continuity of principles and ethics has been maintained as these codes are transferred from instructor to student.
228. The need for a similar, specialized ethic for computer technology is clear. Computer-specific ethical issues arise from the unique characteristics of computers and the roles they play. Computers are now the repositories of modern, negotiable assets, in addition to being a new form of asset in themselves. Computers also serve as the instrument of actions, so that the degree to which computer service providers and users should be responsible for the integrity of computer-output becomes an issue. Furthermore as technology advances into areas such as artificial intelligence, threatening to replace humans in the performance of some tasks, it takes on intimidating proportions.
229. The need for professionalism on the part of service providers in the computer industry, as well as on the part of systems personnel who support and maintain computer technology, is well recognized. Ethical codes are the natural consequence of realizing the commitment inherit in the safe use of computer technology in both the public and private sector.
230. There is a parallel need for professionalism on the part of users of computer systems, in terms of their responsibility to operate legally in full respect of the right orders. Users must be made aware of the risks of operation when systems are being used or installed; they have a responsibility to pursue and identify lapses in security. This will promote ethical conduct in the user community.
231. Education can play a pivotal role in the development of ethical standards in the computer service and user communities. Exposure to computers occurs at a very early age in many countries, often at the primary school level. This presents a valuable opportunity to introduce ethical standards that can be broadened as children progress through school and enter the workforce. Universities and institutes of higher learning should include computer ethics in the curriculum since ethical issues arise and have consequences in all areas of the computer environment.
232. In 1992, recognizing that with society's increasing dependence upon computer technology standards ensuring the availability and the intended operation of systems were required, OECD adopted guidelines for the security of information systems. As increased dependence results in increased vulnerability, standards to protect the security of information systems are just as important. The principles that OECD is promoting have broader application that the security of information systems; they are equally relevant for computer technology in general. Of primary importance among these principles is a statement of ethics that recognizes the rights and legitimate interests of others in the use and development of the new technologies (see paragraph 238).
233. The promotion of positive computer ethics requires initiatives from all sectors of society at the local, national and international levels. The ultimate benefit, however, will be felt by the global community.
G. International security of information systems
234. Lack of international coordination and cooperation can have detrimental effects on national and international economies, on trade and on participation in social, cultural and politic life. International understanding of, and domestic implementation of measures that are required to enhance the security of information systems and facilitate the international exchange of data and commerce are important. Confidence that countries are abiding by security principles promotes confidence in international trade and commerce.
235. It has been noted throughout this Manual that the present measures, practices, procedures and institutions may not adequately meet the challenges posed. There is a need for clarity, predictability, certainly and uniformity of rights and obligations, of enforcement of rights, and of recourse and redress for the violation of rights relating to information systems and their security.
236. The OECD guidelines for the security of information systems were developed to provide a foundation on which countries and the private sector acting singly and in concert may construct a framework for the security of information systems. The framework includes laws code s of conduct, technical measures, management and user practices and public education and awareness activities. The guidelines are intended to serve as a benchmark against which Governments, the public sector, the private sector and society may measure their progress.
237. The guidelines are addressed to the information systems. They are intended to accomplish the following:
Promote cooperation between the public and private sectors in the development and implementation of such measures, practices and procedures;
Foster confidence in information systems and the manner in which they are provided and used;
Facilitate development and use of information systems, nationally and internationally;
Promote international cooperation in achieving security of information systems."
238. guidelines are based on nine principles:
The responsibilities and accountability of owners, providers and users of information systems and other parties concerned with the security of information systems should be explicit.
In order to foster confidence in information systems, owners, providers and users and other parties should readily be able, consistent with maintaining security, to gain appropriate knowledge of and be informed about the existence and general extant of measures, practices and procedures for the security of information systems.
Information systems and the security of information systems should be provided and used in such a manner that the rights and legitimate interests of others are respected.
Measures, practices and procedures for the security of information systems should take account of and address all relevant considerations and viewpoints, including technical, administrative, organizational, operational, commercial, educational and legal considerations and viewpoints.
Security levels, costs, measures, practices and procedures should be appropriate and proportionate to the value of and degree of reliance on the information system and to be severity, probability and extent of potential harm, as the requirements for security vary depending on the information system.
Measures, practices and procedures for the security of information systems should be coordinated and integrated with each other and other measures, practice and procedures of the organization so as to create a coherent system of security.
Public and private parties, at both the national and international levels, should act in a timely and coordinated manner to prevent and to respond to branches of security of information systems.
The security of information systems should be reassessed periodically, as information systems and the requirements for their security vary over time.
The security of information systems should be compatible with the legitimate use and flow of data and information in a democratic society."