• Home

  • Documents

  • The Nature of computer crime—a risk management perspective
2
SEPT - OCT THE COMPUTER LAW AND SECURITY REPORT Television broadcasts: The ownership of the copyright in a television broadcast resides with the broadcasting authority, (BBC/ITA), thus the initial ownership of a copyright work can belong to a corporate entity, this should certainly be the case with computer generated output where the only reasonable owner of the work can be identified as the person or company which undertakes to bring together all the component parts of the system generating the output. • A new Part II work In order to provide a satisfactory method of protecting valuable computer generated output from unauthorised copying it would appear necessary to define a new Part II work that encompasses all copyright type outputs of computers for which a specific author is not indentifiable and assigning ownership to the controller of the machine, while allowing for the creation of Part I type works on machines where there is a direct human control of the style and content of the output. The controller of the machine could be defined as the person or corporate entity that brings together all the operable parts of the system necessary to produce the output. Because it is possible to envisage expert systems producing output regularly on an automatic basis, a definition should not include a reference to a user or operator. Expert systems and invention A similar problem exists with regard to the output of an expert system and inventorship questions. It is now feasible for an expert system to be used to evaluate all the possible chemical chains and formulae and to predict their result if used in a given set of circumstances. The expert system may be asked to evaluate all chemical combinations and their efficacy in preventing or curing a particular disease. The output could be a new inventive chemical without a human inventor. To apply for a patent in the UK you do not need to name an inventor, but in most other countries you do, so is the devisor of the system the inventor, the user of the system who asked the question of the machine, neither of who had any knowledge that contributed to the end result or something else? Who would collect the Nobel Prize? This may not be a pressing problem at the moment, but these and others like them will be very topical in a few years time. I do not have anything other than a mundane solution to the inventorship problem and that is similar to the solution to the copyright problem, that the invention is credited to and owned by the controller of the expert system. But I shall be very interested in readers' comments, if they have any. John E Appleton, Report Correspondent European Patent Attorney IBM (UK) Ltd. RISK MANAGEMENT THE NATURE OF COMPUTER CRIME - a risk management perspective Part I: Introduction Our perception of risk is shaped along traditional lines. For most of us, the risks that we can relate to are those that have been with us for many years: fire, flood, accidental damage, theft, fraud and embezzlement. The development of computer technology has introduced a new range of risks, and a new set of vulnerabilities. The value of the hardware is immaterial compared with the potential costs that could arise out of it's failure or misuse. Of equal importance to the natural perils are the man made risks, whether they be malicious or accidental in motive. Our priorities have been slow to reflect these changes. Insurance covers, risk management thinking and management strategy still reflects the computer technology of the early 1970's. The computer is a piece of electronic machinery totally devoid of any intelligence or the ability of logical thought. The "intelligence" it displays is merely the execution of it's instructions (the programs) and it's capability to undertake that execution at a speed far greater than the speed of the human mind. It's only powers of discernment are therefore those that have been consciously built into it, either by aspects of it's operating system, it's programs or it's physical accessability. If there is an exploitable gap in this three layer armour it will blindly execute all the instructions it is given, no matter how illogical or openly fraudulent. Two very simple examples, not in the area of crime: A clerk in the U.S. army ordered a new part for an army base in Colorado. He mistyped into the computer part number 4772 instead of 4972. Instead of a headlight for a jeep he was sent a seven ton marine anchor. In a manual system someone would have queried the use of a marine anchor in an army base 1000 miles inland. However, most people assume that if the instructions come from a computer they must be right. The Vice President of an American bank linked his home computer to the bank's computer, to do some work over the weekend. He and his wife went out on the Saturday night, and he foolishly left the computer switched on and connected. His three year old daughter convinced the babysitter that Daddy didn't mind her playing with his computer, and randomly played with the keyboard. The following Monday morning when bank staff accessed the computer records they found that the bank had literally no money. By pure chance the three year old had succeeded in transferring the bank's entire assets by money transfers to unknown destinations. Massive computer fraud, by employees and 'third parties', is regularly reported and is considered by many within the industry to be the tip of the iceberg. According to one estimate, 85% of computer fraud is undetected, 5% is detected but not disclosed, and only 10% is reported. Fortunately, for the legitimate computer user, the risks of computer misuse can be largely offset by the computer itself: in addition to the ability to supplement physical protection by software controls the computer can also be programmed to audit itself, that is to identify irregularities in payments, transactions, common data within a database and even irregularities within it's own usage. Given the availability of such sophisticated computer protection there is a tendency for most computer users to discount the shock reports and assume that 'it could not happen to us'. However: * Few, if any, computer installations utilise the protections available within the state of the art. * Well designed protections, such as physical access controls and security passwords, fall into disuse or abuse with the passage of time. Management must tread the difficult 20

The Nature of computer crime—a risk management perspective

Embed Size (px)

Citation preview

Page 1: The Nature of computer crime—a risk management perspective

SEPT - OCT THE COMPUTER LAW AND SECURITY REPORT

Television broadcasts: The ownership of the copyright in a television broadcast resides with the broadcasting authority, (BBC/ITA), thus the initial ownership of a copyright work can belong to a corporate entity, this should certainly be the case with computer generated output where the only reasonable owner of the work can be identified as the person or company which undertakes to bring together all the component parts of the system generating the output.

• A new Part II work

In order to provide a satisfactory method of protecting valuable computer generated output from unauthorised copying it would appear necessary to define a new Part II work that encompasses all copyright type outputs of computers for which a specific author is not indentifiable and assigning ownership to the controller of the machine, while allowing for the creation of Part I type works on machines where there is a direct human control of the style and content of the output. The controller of the machine could be defined as the person or corporate entity that brings together all the operable parts of the system necessary to produce the output. Because it is possible to envisage expert systems producing output regularly on an automatic basis, a definition should not include a reference to a user or operator.

Expert systems and invention A similar problem exists with regard to the output of an expert system and inventorship questions. It is now feasible for an expert system to be used to evaluate all the possible chemical chains and formulae and to predict their result if used in a given set of circumstances. The expert system may be asked to evaluate all chemical combinations and their efficacy in preventing or curing a particular disease. The output could be a new inventive chemical without a human inventor. To apply for a patent in the UK you do not need to name an inventor, but in most other countries you do, so is the devisor of the system the inventor, the user of the system who asked the question of the machine, neither of who had any knowledge that contributed to the end result or something else? Who would collect the Nobel Prize? This may not be a pressing problem at the moment, but these and others like them will be very topical in a few years time. I do not have anything other than a mundane solution to the inventorship problem and that is similar to the solution to the copyright problem, that the invention is credited to and owned by the controller of the expert system. But I shall be very interested in readers' comments, if they have any.

John E Appleton, Report Correspondent European Patent Attorney IBM (UK) Ltd.

RISK MANAGEMENT

T H E N A T U R E O F C O M P U T E R C R I M E - a r isk m a n a g e m e n t p e r s p e c t i v e

Part I: Introduction Our perception of risk is shaped along traditional lines. For most of us, the risks that we can relate to are those that have been with us for many years: fire, flood, accidental damage, theft, fraud and embezzlement. The development of computer technology has introduced a new range of risks, and a new set of vulnerabilities. The value of the hardware is immaterial compared with the potential costs that could arise out of it's failure or misuse. Of equal importance to the natural perils are the man made risks, whether they be malicious or accidental in motive. Our priorities have been slow to reflect these changes. Insurance covers, risk management thinking and management strategy still reflects the computer technology of the early 1970's. The computer is a piece of electronic machinery totally devoid of any intelligence or the ability of logical thought. The "intelligence" it displays is merely the execution of it's instructions (the programs) and it's capability to undertake that execution at a speed far greater than the speed of the human mind. It's only powers of discernment are therefore those that have been consciously built into it, either by aspects of it's operating system, it's programs or it's physical accessability. If there is an exploitable gap in this three layer armour it will blindly execute all the instructions it is given, no matter how illogical or openly fraudulent. Two very simple examples, not in the area of crime:

• A clerk in the U.S. army ordered a new part for an army base in Colorado. He mistyped into the computer part number 4772 instead of 4972. Instead of a headlight for a jeep he was sent a seven ton marine anchor. In a manual system someone would have queried the use of a marine anchor in an army

base 1000 miles inland. However, most people assume that if the instructions come from a computer they must be right.

• The Vice President of an American bank linked his home computer to the bank's computer, to do some work over the weekend. He and his wife went out on the Saturday night, and he foolishly left the computer switched on and connected. His three year old daughter convinced the babysitter that Daddy didn't mind her playing with his computer, and randomly played with the keyboard. The following Monday morning when bank staff accessed the computer records they found that the bank had literally no money. By pure chance the three year old had succeeded in transferring the bank's entire assets by money transfers to unknown destinations. Massive computer fraud, by employees and 'third parties', is regularly reported and is considered by many within the industry to be the tip of the iceberg. According to one estimate, 85% of computer fraud is undetected, 5% is detected but not disclosed, and only 10% is reported. Fortunately, for the legitimate computer user, the risks of computer misuse can be largely offset by the computer itself: in addition to the ability to supplement physical protection by software controls the computer can also be programmed to audit itself, that is to identify irregularities in payments, transactions, common data within a database and even irregularities within it's own usage. Given the availability of such sophisticated computer protection there is a tendency for most computer users to discount the shock reports and assume that 'it could not happen to us'. However: * Few, if any, computer installations utilise the protections available within the state of the art. * Well designed protections, such as physical access controls and security passwords, fall into disuse or abuse with the passage of time. Management must tread the difficult

20

Page 2: The Nature of computer crime—a risk management perspective

THE C O M P U T E R LAW AND SECURITY REPORT 1 CLSR

tightrope between a strict regime, which can lead to job frustration and so encourage fraud, and a relaxed environment in which the need to maintain tight security appears to recede.

* Many auditors do not have the specialised experience to spot the potential for electronic fraud: nor indeed do they see fraud discovery as being amongst their responsibilities. An analysis of the causes of frauds being discovered makes fascinating reading: 51% by accident, 19% by auditors, 10% by management controls, and an incredible 20% by disgruntled mistresses. The lesson is obvious.

* Because of the high time critical factor of computer usage the system must allow someone the ability to bypass the controls. These key people, D.R managers, chief maintenance engineers, systems managers and the like, are in a position of trust which, if abused, could permit high level fraud.

* The motivation to a programmer may not be financial gain but the challenge created by the system. The spoils become the bonus points in a high risk game of space invaders, or a method of providing intel lectual chal lenge to understimulated minds.

The networked computer takes the companies accounting system, its management information, and its very lifeblood, away from the inner sanctums at head office, away from the trusted and well vetted accounts and managerial staff and into every office within the corporate structure. Dial up access or the use of automated teller machines could take it into every personal computer users home and every high street hole in the wall, accessible to anyone with the ingenuity to crack the system. We are not talking fiction or speculation. It is happening:

* In Australia in Summer 1985 a 16 year old computer enthusiast was charged with 400 separate theft charges after defrauding a building societies ATM system of A$40,000 after discovering the system's achilles heel: the hour long period in the early hours of the morning when the mainframe containing the customers records and balances was off line for batch processing. During this time the cash dispensers gave out money, but could not check the customer's account to obtain balance details. He realised that this was a recipe for unlimited drawings and opened over 40 savings accounts using bogus names and addresses. On the night in question he was able to go from ATM to ATM drawing up to each dispenser's limit.

In America, where things always seem to happen on a larger scale, there is a recently reported ATM fraud involving losses of $450 million.

* Interpol were called in by executives at the Stockholm Stock Exchange, after is was discovered that more than $7 million had been milked from the account of Sweden's leading SPP insurance company. Stockholm's District Attorney subsequently charged a 35 year old Frenchman, believed to have worked as a programmer in the Exchange's computerised securities section, with gross fraud, gross reception of stolen goods and grand larceny. The French suspect, an entrepreneur resident of Sweden, allegedly diverted to his personal bank account 53 million Krone ($7.4m) in Volvo stock dividends which should have gone to the insurance company. The dividends were supposed to have been deposited via the computerised register at the Stockholm Stock Exchange in the SPP's account at Skandinaviska Enskilda Banken, Sweden's largest commercial bank. Instead police allege that the money ended up in the arrested man's account in the same bank.

* An American Bar Association survey has revealed that 27% of businesses polled had been victims of computer crime during the twelve month period ending June 1984. Statistics from the FBI show that the average computer related crime loss is $500,000 whereas the average bank robber steals only $3,500; the average non-computer assisted employee embezzlement costs $25,000 whereas the average computer- assisted employee embezzlement costss $430,000. Apart from the possibility of higher rewards the deterrent is that much lower: according to the president of an American security firm, the average bank robber, if caught, has a 90 per cent chance of prosecution and, if convicted, will be given a five year sentence. A thief who is successful in an electronic funds transfer manipulation has a 15 per cent chance of prosecution if caught and, if convicted, faces a five MONTH sentence. Technology is changing at such a rapid pace that new risks are being added almost every day. Physical security can be audited because it is overt - but how can the security consultant, or the insurer, or the user himself, spot the bug in the program, the loophole in the controls, that will, once spotted by someone with a criminal mind, lead to yet another record breaking computer crime? The answer at present seems to be that in many cases the first discovery comes with the discovery of the crime itself. Perpetrators have sold details of the loophole or bug they discovered in return for no prosecution, and sometimes continued employment or allowed to keep at least part of the proceeds.

David Davies

o0o

THE H U M A N RISKS - AN AUDITORS POINT OF V I E W The role of the auditor in today's constantly changing computer environment encompasses far more than the traditional methods employed in the past. An auditor is often expected to investigate only the physical aspects of a computer centre and to inspect the integrity of any given system, but with most emphasis placed on financial applications. However, if he restricts his brief to these areas alone he is unlikely to identify the area of exposure which poses the greatest threat to any computer installation: the human one - a risk that by its nature can never be fully understood or controlled.

The problem The range of skills available to the traditional auditor do not allow him to understand fully or appriase the human factor involved in this basic area of risk. The majority of computer auditors enter the field of combat with little education in the field of human psychology in relation to computer fraud and security. Their sole aim is to ensure that the computer system is not being used to defraud the owners of cash or of sensitive information. With this in mind, effort will be concentrated on the physical security aspects of the installation, often using an outdated checklist, and on the standards and procedures observed at the site with regard to network and applications security measures. To be fair, a skilled computer man, taught the basics of the auditor's job function, will investigate many other areas of concern based on his own experience and knowledge gained from hands-on involvement in a data processing centre. He

21


The nature of violent crime in England and Wales

The nature of violent crime in England and Wales

Documents
Criminology II Nature and Extent of Crime Unit 3

Criminology II Nature and Extent of Crime Unit 3

Documents
The Nature of Crime Understanding Crime and Victimization

The Nature of Crime Understanding Crime and Victimization

Documents
Outdoor Recreation and Nature Tourism: A European Perspective perspective on... · Outdoor Recreation and Nature Tourism: A European Perspective 5 1 Introduction The places associated

Outdoor Recreation and Nature Tourism: A European Perspective perspective on... · Outdoor Recreation and Nature Tourism: A European Perspective 5 1 Introduction The places associated

Documents
The Nature of Corruption - An Interdisciplinary Perspective

The Nature of Corruption - An Interdisciplinary Perspective

Documents
The Nature of Crime and Victimization Is crime really a significant problem? Is crime increasing or decreasing? Is crime becoming more serious? Where and

The Nature of Crime and Victimization Is crime really a significant problem? Is crime increasing or decreasing? Is crime becoming more serious? Where and

Documents
Chapter 03 the Nature and Extent of Crime

Chapter 03 the Nature and Extent of Crime

Documents
The Nature of Crime and Victimization

The Nature of Crime and Victimization

Documents
Regulatory perspective in dealing with Cyber crime

Regulatory perspective in dealing with Cyber crime

Presentations & Public Speaking
Crime and Victimization: An Economic Perspective

Crime and Victimization: An Economic Perspective

Documents
Cyber Crime Judicial Perspective

Cyber Crime Judicial Perspective

Documents
Man nature relationship and the sikh perspective

Man nature relationship and the sikh perspective

Documents
Rationalist perspective on human nature

Rationalist perspective on human nature

Documents
Chapter 1 Summary - The Nature of Crime

Chapter 1 Summary - The Nature of Crime

Documents
Nature of crime

Nature of crime

Education
Valuation of Nature: An Economic Perspective

Valuation of Nature: An Economic Perspective

Documents
PwC-Studie "Global Economic Crime Survey - A Swiss Perspective"

PwC-Studie "Global Economic Crime Survey - A Swiss Perspective"

Documents
Solving the Juvenile Crime Problem: A Prosecutor’s Perspective

Solving the Juvenile Crime Problem: A Prosecutor’s Perspective

Documents
INTERNATIONAL ENVIRONMENTAL CRIME: The Nature and Control ... · PDF fileINTERNATIONAL ENVIRONMENTAL CRIME: The Nature and Control of Environmental Black Markets Background paper for

INTERNATIONAL ENVIRONMENTAL CRIME: The Nature and Control ... · PDF fileINTERNATIONAL ENVIRONMENTAL CRIME: The Nature and Control of Environmental Black Markets Background paper for

Documents
Law and Justice Chapter 7 Crime in America. The Nature of Crimes The Nature of Crimes Crime Crime Something one does or fails to do that is in violation

Law and Justice Chapter 7 Crime in America. The Nature of Crimes The Nature of Crimes Crime Crime Something one does or fails to do that is in violation

Documents
The Nature of Crime in NSW Jackie Fitzgerald NSW Bureau of Crime Statistics and Research

The Nature of Crime in NSW Jackie Fitzgerald NSW Bureau of Crime Statistics and Research

Documents
A Christian Perspective on Crime

A Christian Perspective on Crime

Education
Worksheet 1 - The Nature of Crime

Worksheet 1 - The Nature of Crime

Documents
Sri Lankan Perspective in Meeting the Cyber Crime Challenge

Sri Lankan Perspective in Meeting the Cyber Crime Challenge

Documents
‘Understanding the nature of empathy: A personal perspective’ and... · ‘Understanding the nature of empathy: A personal perspective ... Understanding the nature of ... between

‘Understanding the nature of empathy: A personal perspective’ and... · ‘Understanding the nature of empathy: A personal perspective ... Understanding the nature of ... between

Documents
Nature Versus Nuture in Cultural Perspective - Northwestern

Nature Versus Nuture in Cultural Perspective - Northwestern

Documents
The Conflict Perspective Class, Crime, and the Criminal Justice System

The Conflict Perspective Class, Crime, and the Criminal Justice System

Documents
Human Nature in Theistic Perspective · Human Nature in Theistic Perspective with Celia Deane-Drummond and Paul Wason, “Becoming Human in Theistic Perspective”; John H. Walton,

Human Nature in Theistic Perspective · Human Nature in Theistic Perspective with Celia Deane-Drummond and Paul Wason, “Becoming Human in Theistic Perspective”; John H. Walton,

Documents
Main Arguments - Crime Arguments - Crime (Neilab Osman… · Main Arguments - Crime The Nature of Crime The categories of crime Crimes against the Person (murder) is the highest -

Main Arguments - Crime Arguments - Crime (Neilab Osman… · Main Arguments - Crime The Nature of Crime The categories of crime Crimes against the Person (murder) is the highest -

Documents
Armed Resistance to Crime: The Prevalence and Nature of

Armed Resistance to Crime: The Prevalence and Nature of

Documents