SofWare securitv J

by STUART WALSH

S tringent internal controls in data processing are no longer simply a

good business practice; they are increasingly demanded by law. In

addition to the various reporting re-

quirements, regulations concerning individual rights IO privacy require

that access to certain information be closely guarded. The computer has be- come the repository of virtually all

such information, with the informa- tion itself being the lifeblood of con- tinued existence for many companies.

Computer accidents, errors, and in- advertent breaches of security can be

costly and time-consuming. Data pro- cessing managers may be held

accountable for failure to protect cri-

tical corporate information, so it is in a DPM’s interests to maintain computer security.

As well as storing vital records, the

computer serves as a ‘vault’ for today’s automated assets, and as such, is a tempting target for theft. Skilled com- puter criminals can break into a com-

puter vault far more easily than an

armed robber can gain access to a bank vault, and usually with much less risk

of apprehension and punishment. A slight change in a complex computer

program can cause the misappropria- tion of thousands of pounds. Similar-

Abstract: Computer accidents, errors and

breaches of security can be ‘veq expensive for a

company. Management must ensure that the

computer is protected. (Jsingpackaged

software can provide extra controls against

system abuse

Keywords: data processing, computer

sofnuare, computersrcuti~s.

Stuart Walsh IS sales dwector for MSA (Management Sciences America) Ltd.

ly, accidental erasure of a crucial prog- ram can paralyse the company’s opera-

tions. Anyone familiar with the correct

procedure can gain access to informa- tion, no matter how confidential,

stored in the computer.

Virtually every company with a computer is vulnerable to computer abuse, crime, and accident. Security of

the computer, and the information and assets contained therein, is there-

fore of paramount importance to all management, especially in the DP

department.

Growth of computer crime

Although the actual extent of compu-

ter crime is difficult to measure, most

experts agree that it is one of the fastest growing illegal activities’32. The prin- cipal reason for both the growth and

lack of accurate measurement of com- puter crime is the difficulty in detect- ing a well-executed theft. Losses per incident therefore tend to be higher

than those for other types of theft.

Once the computer criminal has com- promised the system, it is just as easy

to steal a great deal as it is to steal a

little, and to continue stealing beyond the initial theft. Indeed, the computer

criminal may find it more difficult to end the illicit activity than it was to start it.

Computer thefts are often not re- ported. Often an operator is simply dismissed while the company quietly absorbs the loss. Even in cases involv-

ing large sums of money, management is usually embarrassed to admit that the system failed and fears that public- ity about their vulnerability will undermine the confidence of share- holders, customers, and government regulators.

Types of abuse

Computer criminals are, for the most

part, well-educated and highly intelli-

gent, with analytical skills that make them valued employees. Their ability

to understand and operate equipment that many managers find intimidating is generally respected. Computer

criminals do not fit criminal stereo-

types, enabling them to obtain the trusted positions t.hey require to carry out the crime.

Computer thieves have fertile im-

aginations and the ways in which they use the equipment to their advantage is

constantly growing. In addition to

direct theft of funds, the theft of data (‘programnapping’: for the purpose of

corporate espionage or extortion is an increasingly widespread crrme that can have a substantial effect on a com-

pany’s finances. One lucrative scheme particularly

difficult to detect involves accumula-

tion of fractions of pence from indi- vidual payroll accounts and the elec-

tronic transfer of the accumulated amount to the criminal’s payroll. Em-

ployees are not concerned with pence, much less fractions of pence. In addi- tion, the compan:y’s total payroll is not

affected. But the cumulative value of fractions of pence per employee in a company with a substantial payroll can

add up to a tremendous gain for the malefactor.

Sabotage is also an increasingly

common type of computer crime. Some sabotage involves disabling the hardware, but fre:quently sabotage is carried out through the software. Everyone in the computer business knows of cases where ‘time bombs’ have been placed in programs. In such

~0125 no 3 april 19% 0011-6X4X:X31030009-02$03.00 0 1983 Hutterworth AT Co (Publishers Ltd. 9

instances the programmer inserts in-

structions into a program which cause the computer to destroy an entire per-

sonnel databank in the event that the programmer’s employment is termin- ated. As soon as the termination data is

fed into the computer, it automatically erases the entire tape and program.

Such acts of sabotage are particularly

difficult to prevent because they do not

become evident until the trigger is acti- vated by an apparently unrelated

event. Not all computer losses are attribut-

able to theft or abuse. Simple human error is by far the largest cause of most system failures. Data stored on discs or

tapes is accidentally erased or improp- er entry of information introduces

errors into the database. The program itself, if newly created, must undergo

extensive ‘debugging’.

Guarding against computer compromise

Computer security involves the DP manager in three basic areas:

l protection of hardware from physical damage

l controlling access to equipment and

data 0 protecting software

Protection of hardware from

accidental or intentional damage is a

function of the environment in which the equipment is kept.

For access control, the computer

area must be isolated from other com- pany facilities, with access to the area

strictly controlled. No unauthorized person should ever be admitted to the computer area. Many insurance com- panies and corporate protection firms offer free evaluation of the physical

security of computer installations. Protection of software is more dif-

ficult. Some risks are reduced by con- trolling physical access to data by un- authorized personnel, but most accidental and intentional software damage is done by those whose jobs require at least some access to the programs. The creator of the program is often the one responsible for its mis-

use. Programs produced exclusively for a particular company are therefore far more vulnerable to abuse and acci-

dent than standardized program pack- ages created and implemented by ex- ternal software producers.

A unique program is difficult and expensive to replace. Accidental era-

sure, sabotage, or physical removal of

a single program may mean that a whole system will have to be rebuilt,

including a lengthy and expensive test-

ing process. Meanwhile, the company must find another way to process the data, not a simple task if the com-

puterized system has been relied upon for some time.

The creators of a custom program

are almost always employees of the company and may or may not have a

vested interest in the program’s func- tion. In the course of their original

programming activity, however, they can include virtually any instruction or

routine with very little risk of detec-

tion. Moreover, these same internal employees can change the program at will, and there is little management

can do to make sure alterations in a unique program are legitimate.

Systems controlling cash manage- ment, financial operations, and per-

sonnel and payroll functions offer the

greatest potential gains and are there-

fore the most common targets for com- puter crime and sabotage.

Using standardized application soft-

ware can help to protect the system. Uniform software packages support

computer security because program sabotage is most often the work of dis- gruntled employees. The programs in a software package are written, tested, documented, and maintained inde-

pendently by professional organiza- tions who have no vested interest in the continuing operation of the com- puter and are unaffected by manage- ment’s policy decisions.

Internal programmers have little need to become thoroughly familiar with a software package because it is delivered and installed complete. A duplicate program can easily be

obtained if the company suspects for

any reason that the software applica- tion has been compromised.

Controls included in software pack- ages are almost always more strict than those incorporated into internally de-

veloped systems because the former must function in a variety of environ-

ments. In addition, software packages

provide for different levels and types of access. One user, through the use of

a particular set of codes, may gain ac- cess to view the data in the system, but

another set of codes may be required to alter data.

Financial, cash management and

human resource computer software packages also provide a means of log- ging and identifying the source of ev-

ery access or change to the system. Each inquiry and update is identified

by operator and/or terminal, thereby

preventing anonymous access. This discourages abuse and encourages the

operator to become conscientious. Be- cause authorized operators are guided in their procedures, errors are mini- mized .

But even with a controlled physical environment and the use of uniform software applications, security proce-

dures are only effective if they are strictly adhered to by everyone in the

company. It is not at all unusual to

walk into a computer room and find the instructions for gaining access,

along with the daily password, taped to a terminal. Security consciousness

must permeate the entire organization if it is to be effective, and that con- sciousness must be generated from top management down to every employee.

References

0

1. Wood, Michael, Computer sys- tems security, Data Processing (September 1982).

2. Simpson, Alan, UK computer fraud survey, Data Processing (September 1982).

MSA (Management Sciences America) Ltd, MSA House, 99 King Street, Maidenhead, BerksSL6 lYF,UK. Tel: (0628)71011.

10 data processing