software security
TRANSCRIPT
SofWare securitv J
by STUART WALSH
S tringent internal controls in data processing are no longer simply a
good business practice; they are increasingly demanded by law. In
addition to the various reporting re-
quirements, regulations concerning individual rights IO privacy require
that access to certain information be closely guarded. The computer has be- come the repository of virtually all
such information, with the informa- tion itself being the lifeblood of con- tinued existence for many companies.
Computer accidents, errors, and in- advertent breaches of security can be
costly and time-consuming. Data pro- cessing managers may be held
accountable for failure to protect cri-
tical corporate information, so it is in a DPM’s interests to maintain computer security.
As well as storing vital records, the
computer serves as a ‘vault’ for today’s automated assets, and as such, is a tempting target for theft. Skilled com- puter criminals can break into a com-
puter vault far more easily than an
armed robber can gain access to a bank vault, and usually with much less risk
of apprehension and punishment. A slight change in a complex computer
program can cause the misappropria- tion of thousands of pounds. Similar-
Abstract: Computer accidents, errors and
breaches of security can be ‘veq expensive for a
company. Management must ensure that the
computer is protected. (Jsingpackaged
software can provide extra controls against
system abuse
Keywords: data processing, computer
sofnuare, computersrcuti~s.
Stuart Walsh IS sales dwector for MSA (Management Sciences America) Ltd.
ly, accidental erasure of a crucial prog- ram can paralyse the company’s opera-
tions. Anyone familiar with the correct
procedure can gain access to informa- tion, no matter how confidential,
stored in the computer.
Virtually every company with a computer is vulnerable to computer abuse, crime, and accident. Security of
the computer, and the information and assets contained therein, is there-
fore of paramount importance to all management, especially in the DP
department.
Growth of computer crime
Although the actual extent of compu-
ter crime is difficult to measure, most
experts agree that it is one of the fastest growing illegal activities’32. The prin- cipal reason for both the growth and
lack of accurate measurement of com- puter crime is the difficulty in detect- ing a well-executed theft. Losses per incident therefore tend to be higher
than those for other types of theft.
Once the computer criminal has com- promised the system, it is just as easy
to steal a great deal as it is to steal a
little, and to continue stealing beyond the initial theft. Indeed, the computer
criminal may find it more difficult to end the illicit activity than it was to start it.
Computer thefts are often not re- ported. Often an operator is simply dismissed while the company quietly absorbs the loss. Even in cases involv-
ing large sums of money, management is usually embarrassed to admit that the system failed and fears that public- ity about their vulnerability will undermine the confidence of share- holders, customers, and government regulators.
Types of abuse
Computer criminals are, for the most
part, well-educated and highly intelli-
gent, with analytical skills that make them valued employees. Their ability
to understand and operate equipment that many managers find intimidating is generally respected. Computer
criminals do not fit criminal stereo-
types, enabling them to obtain the trusted positions t.hey require to carry out the crime.
Computer thieves have fertile im-
aginations and the ways in which they use the equipment to their advantage is
constantly growing. In addition to
direct theft of funds, the theft of data (‘programnapping’: for the purpose of
corporate espionage or extortion is an increasingly widespread crrme that can have a substantial effect on a com-
pany’s finances. One lucrative scheme particularly
difficult to detect involves accumula-
tion of fractions of pence from indi- vidual payroll accounts and the elec-
tronic transfer of the accumulated amount to the criminal’s payroll. Em-
ployees are not concerned with pence, much less fractions of pence. In addi- tion, the compan:y’s total payroll is not
affected. But the cumulative value of fractions of pence per employee in a company with a substantial payroll can
add up to a tremendous gain for the malefactor.
Sabotage is also an increasingly
common type of computer crime. Some sabotage involves disabling the hardware, but fre:quently sabotage is carried out through the software. Everyone in the computer business knows of cases where ‘time bombs’ have been placed in programs. In such
~0125 no 3 april 19% 0011-6X4X:X31030009-02$03.00 0 1983 Hutterworth AT Co (Publishers Ltd. 9
instances the programmer inserts in-
structions into a program which cause the computer to destroy an entire per-
sonnel databank in the event that the programmer’s employment is termin- ated. As soon as the termination data is
fed into the computer, it automatically erases the entire tape and program.
Such acts of sabotage are particularly
difficult to prevent because they do not
become evident until the trigger is acti- vated by an apparently unrelated
event. Not all computer losses are attribut-
able to theft or abuse. Simple human error is by far the largest cause of most system failures. Data stored on discs or
tapes is accidentally erased or improp- er entry of information introduces
errors into the database. The program itself, if newly created, must undergo
extensive ‘debugging’.
Guarding against computer compromise
Computer security involves the DP manager in three basic areas:
l protection of hardware from physical damage
l controlling access to equipment and
data 0 protecting software
Protection of hardware from
accidental or intentional damage is a
function of the environment in which the equipment is kept.
For access control, the computer
area must be isolated from other com- pany facilities, with access to the area
strictly controlled. No unauthorized person should ever be admitted to the computer area. Many insurance com- panies and corporate protection firms offer free evaluation of the physical
security of computer installations. Protection of software is more dif-
ficult. Some risks are reduced by con- trolling physical access to data by un- authorized personnel, but most accidental and intentional software damage is done by those whose jobs require at least some access to the programs. The creator of the program is often the one responsible for its mis-
use. Programs produced exclusively for a particular company are therefore far more vulnerable to abuse and acci-
dent than standardized program pack- ages created and implemented by ex- ternal software producers.
A unique program is difficult and expensive to replace. Accidental era-
sure, sabotage, or physical removal of
a single program may mean that a whole system will have to be rebuilt,
including a lengthy and expensive test-
ing process. Meanwhile, the company must find another way to process the data, not a simple task if the com-
puterized system has been relied upon for some time.
The creators of a custom program
are almost always employees of the company and may or may not have a
vested interest in the program’s func- tion. In the course of their original
programming activity, however, they can include virtually any instruction or
routine with very little risk of detec-
tion. Moreover, these same internal employees can change the program at will, and there is little management
can do to make sure alterations in a unique program are legitimate.
Systems controlling cash manage- ment, financial operations, and per-
sonnel and payroll functions offer the
greatest potential gains and are there-
fore the most common targets for com- puter crime and sabotage.
Using standardized application soft-
ware can help to protect the system. Uniform software packages support
computer security because program sabotage is most often the work of dis- gruntled employees. The programs in a software package are written, tested, documented, and maintained inde-
pendently by professional organiza- tions who have no vested interest in the continuing operation of the com- puter and are unaffected by manage- ment’s policy decisions.
Internal programmers have little need to become thoroughly familiar with a software package because it is delivered and installed complete. A duplicate program can easily be
obtained if the company suspects for
any reason that the software applica- tion has been compromised.
Controls included in software pack- ages are almost always more strict than those incorporated into internally de-
veloped systems because the former must function in a variety of environ-
ments. In addition, software packages
provide for different levels and types of access. One user, through the use of
a particular set of codes, may gain ac- cess to view the data in the system, but
another set of codes may be required to alter data.
Financial, cash management and
human resource computer software packages also provide a means of log- ging and identifying the source of ev-
ery access or change to the system. Each inquiry and update is identified
by operator and/or terminal, thereby
preventing anonymous access. This discourages abuse and encourages the
operator to become conscientious. Be- cause authorized operators are guided in their procedures, errors are mini- mized .
But even with a controlled physical environment and the use of uniform software applications, security proce-
dures are only effective if they are strictly adhered to by everyone in the
company. It is not at all unusual to
walk into a computer room and find the instructions for gaining access,
along with the daily password, taped to a terminal. Security consciousness
must permeate the entire organization if it is to be effective, and that con- sciousness must be generated from top management down to every employee.
References
0
1. Wood, Michael, Computer sys- tems security, Data Processing (September 1982).
2. Simpson, Alan, UK computer fraud survey, Data Processing (September 1982).
MSA (Management Sciences America) Ltd, MSA House, 99 King Street, Maidenhead, BerksSL6 lYF,UK. Tel: (0628)71011.
10 data processing