Security Within the Organization
Security risks within an organization include the processing of fraudulent transactions, unauthorized access to data and program files, and the physical theft or damage of equipment.
Computer fraud is increasing at an alarming rate. Fraud can be defined as the manipulation of the records of an organization to conceal an illegal act (normally the theft of funds or other assets). Computers can make it easy for employees in particular to defraud the organization, in particular when the level of security and internal control is lax. In manual systems, a common control to limit fraud is to involve two or more people in a process, each one effectively controlling the activities of the others. We call this control process separation of duties. For example in a payroll system one might give an individual the authority to approve increases, another the task of updating the computer and the third the responsibility to distribute funds to employees. Without collusion between them, it would be difficult for any one of these individuals to steal funds from the payroll system and hide his tracks. Unfortunately, in many computer systems, too many separate functions have been computerized and often there is a single clerk responsible for running the entire payroll process. In these situations, anyone who has access to the application can take the opportunity to commit fraud. The most common fraud tactics are:
- Entering fictitious transactions. Most frauds are committed by employees using the system in the normal way to enter fictitious transactions. No special technical knowledge is required and the employee relies on the fact that management supervision of the process in weak.
- Modification of computer files. Normally requires a little more technical expertise as this would involve, for example, the increase or reduction of amounts held on the master file, which cannot be changed within the application without an appropriate transaction (such as a payment).
- Unauthorized changes to programs. This type of fraud is usually limited to staff with programming expertise. A common example is the skimming or salami technique. In a payroll system this would entail deducting a small amount from each individual salary cheque and adding the total to a select individual’s payment. The secret behind this technique is that employees are unlikely to notice a change in their salary (PAYE and other deductions often cause regular variation in the total) and the total payroll will balance (the total amount being paid is the same.)
How does an organization limit fraud? Experts suggest a three-pronged attack. Firstly the organization must stress the need for honesty and ethical behavior in all business activities. Managers must lead by example, new employees must be screened and staff training must support this theme. The second concern is the level of opportunity in the organization to commit fraud. There must be strong internal controls, separation of duties, restricted access to sensitive applications and constant management supervision. Audit trails are used to record the origin of every transaction, and sequential numbering ensures that records cannot be deleted or reports destroyed. Finally, where a case of fraud is discovered, action must be taken against the offender. Many organizations prefer not to prosecute employees suspected of fraudulent behavior because of the negative publicity they will receive in the press. This in itself encourages criminals to repeat the activity in their new working environment knowing the likelihood of punishment is remote.
Unauthorized Data Access
Password protection is the most common method of protecting corporate data. Nevertheless, fraudulent transactions are often carried out by unauthorized users who manage to gain access to the corporate network by using the login details of another user. One way of achieving this is through a terminal spoof – a simple yet effective approach to finding other user’s passwords. A terminal spoof is a program that runs on a machine and looks like the normal login screen. Once a user has given his or her user-id and password, the terminal spoof will record both on the local disk or server, give what looks like an authentic error message (such as invalid password – please re-enter) and then passes control to the real login program. The criminal will pick up the passwords later to gain access to the system masquerading as the unfortunate victim.
Other criminals simply make use of an unattended computer that has been left on by a user who has logged in to the network and then left the office. Time-out or screen-saver programs with password protection provide a simple barrier to this approach In addition, locked doors are a traditional means of excluding undesirable visitors.
Other dangers of which managers should be aware include the Trojan horse, in which code is added to a program, which will activate under certain conditions. For example, a computer consultant in Johannesburg had a client in Durban. He placed a Trojan horse in the payroll program so that it would malfunction while processing the June payroll. They would fly him down, all expenses paid, to fix the problem and stay for the Durban July horse race. Once this had happened for the third time, another consultant was used who uncovered the offending code.
Another risk is the Back-door technique. When programmers are building systems, they may try to bypass all the access security procedures to speed up the development time. In some cases, these “back doors” have not been removed and the programmer can gain illegal entry into the production system.
Sabotage and Theft
When computers were the size of small houses and hidden in secure computer installations, then theft of computer hardware was rare. Today, PCs are on most desks and in many cases they have to be physically bolted to the table to prevent their disappearance. One famous case of theft involved a laptop computer stolen from the back seat of a car in the USA in early 1991. On the hard disk was the master plan for Desert Storm, the details of how the United States and her allies would attack Iraq.
Mobile computing devices are especially vulnerable to theft, and limiting of physical access to equipment is the most effective first line of defense. Restrictions to entry can be based on electronic locks, activated by means of magnetic disks or swipe cards, or on advanced biometric devices that identify the individual based on characteristics such as fingerprints or the pattern of the retina. (In each case, the security mechanism would obviously be linked to a database containing details of authorized users.)
Another form of theft relates to the copying of programs and data resources in an organization. Obtaining customer lists together with the details of the amount and type of business can obviously assist companies to encourage customers away from their competition. Theft of software is a major problem in the PC world where users often make illegal copies of the programs rather than purchase the package themselves – this practice is known as software piracy. This type of theft is more difficult to identify, since the original product has not physically disappeared as with the theft of computer hardware. Where software piracy is discovered, the owner of the computer on which the software resides (often the employer) is held to be legally responsible for the presence of pirated software.
The last category of computer theft covers the illegal use of computer time. In the past computer operators were often caught processing work for third parties or users were doing their own work at the office. Computer hackers spend their time searching for networks to which they can gain access. Having breached the security controls, they often browse around the databases in the installation but may not do any damage. In these instances, the only crime they can be charged with is the theft of computer time.