Chapter 11 Computer Crime and Information Technology Security AIS in the Business World Information one of today s most important economic assets for any organization Often stored and transmitted electronically vulnerable to computer crime espec in law firms Understanding the types of computer crimes allows one to understand more clearly how AIS is affected by common malicious acts Taxonomy for Computer Crime Carter 1995 Target criminal targets the system or its data impact the confidentiality availability and or integrity of data stored on the o Objective computer to commit the crime Instrumentality computer as instrumentality of crime uses computer to further criminal end o In crimes targeting the computer the data are object of the crime and computer is used Incidental computer is not required for crime but is related to the criminal act o Use of computer simplifies criminal actions and makes crimes difficult to trace Associated technological growth creates new crime targets and new ways of reaching victims o Essentially new way to commit old crimes Lines between each type of crime are blurred transactions may overlap the different types of crimes Business Risks and Threats to Information Systems 1 Fraud a Computer fraud used to commit the offense perpetrate fraud 1989 any illegal act for which knowledge of computer technology is i Fundamentally people fraud computer system needs human intervention to b Different types of fraud require different computer skills i Data diddling ii Theft of info in secure database intentional modification of information basic skills advanced skills c After series of scandals and lapses in corp governance Sarbanes Oxley introduced to restore customer confidence in stock markets i Organizations required to publish reports on internal controls in place 2 Error losses due to error vary depending on 1 where error originated 2 time it may take to identify and correct it i Single error ii Programming error when entering product code wrong item being shipped in transaction system millions lost and angry customers b Implementing preventative controls 1 detects corrects errors before they occur 2 prevents financial losses and negative impacts to organization s image 3 Service Interruption and Delays can bring organization to standstill lead to missed deadlines for payables and receivables a Main categories for service interruptions accidental willful neglect malicious behavior ex someone shutting down wrong machine i Accidental ii Willful neglect iii Malicious behavior company s web site ex outdated antivirus software ex hacker launching a denial of service attack against 4 Disclosure of Confidential Information a Privacy laws managers and other stakeholders aware of critical need to protect gain access to a network or system by bypassing security controls or information assets 5 Intrusions a Main objective exploiting a lack of adequate controls b Motivations vary ex fun profit i Hackers for fun unprotected and easy to access ii Hackers for profit often choose low hanging fruit data and or systems relatively often target specific organization or information before attack 6 Information Theft targets organization s most precious asset information represented numerically a Data includes trade secrets marketing plans advertising campaigns research and development for new products customer lists b Higher losses for corp because these assets often have higher value 7 Information Manipulation occurs at any stage of information processing from input to output i i most common form of fraud easy to perform basic Input manipulation computer skills hard to detect may look valid until in depth examination ex employee creates fake refunds in payables system to benefit a family member ii Program manipulation complex task extremely difficult to detect modification and detection require advanced computer knowledge i Involves modification or insertion of specific functions in the computer information system iii Other manipulations take advantage of automatic repetitions of a computer program i Characteristic of salami technique unnoticeable slices of a financial transaction are removed and transferred to another account a Ex computer programmer employed in a bank could redirect interest smaller than penny into his own account over time will add up to a large sum 8 Malicious Software infecting a system and modifying its data a Many forms 1 Virus Worm replicating over network causing a bottleneck 2 Trojan horse allowing an unauthorized backdoor into a system directly impacting 3 the confidentiality of files residing in system Logic bombs paychecks are issued and trigger the deletion of all employee records ex in payroll system would detect missing employee number when 4 9 Denial of Service Attacks prevent computer systems and networks from functioning in accordance with intended purpose a Attacks 1 cause loss of service to users by consuming scarce resources with bandwidth memory or processor cycles 2 disrupt configuration information or physical components b In distributed attacks many compromised systems under control of one or many attackers are used to multiply the impact by launching concurrent attacks against a determined target i Devastating to organization bring computer operations to standstill virtually impossible to block 10 Web Site Defacements form of internal graffiti where intruders modify pages on the site in order to leave their mark send a message or mock the organization politically motivated defacement attempts to send message to i Hacktivism organization or part of online community 11 Extortion result of computer being the object of a crime a Extortionist contacts organization after successfully stealing info or launching a DOS attack if demands unmet threatens to reveal info to public or to launch a prolonged denial of service Perpetrators of Computer Crime What distinguishes the individuals that commit computer crimes The intent to their crime Any person of any age with computer skills motivated by the technical challenge by the potential for gain notoriety or revenge or by the promotion of ideological beliefs is a potential computer criminal 1 Script kiddie young inexperienced hacker who uses tools and scripts written by other for the purpose of attacking systems a Don t possess system programming knowledge to write understand scripts and tools b Act out of boredom curiosity or desire to play war on internet c Often scan thousands of computers