Chapter 11: Computer Crime and Information Technology SecurityAIS in the Business WorldInformation: one of today’s most important economic assets for any organization- Often stored and transmitted electronically; vulnerable to computer crime (espec. in law firms)*Understanding the types of computer crimes allows one to understand more clearly how AIS is affectedby common malicious acts*Taxonomy for Computer Crime (Carter; 1995):- Target-criminal targets the system or its datao Objective : impact the confidentiality, availability, and/or integrity of data stored on the computer- Instrumentality- computer as instrumentality of crime; uses computer to further criminal endo In crimes targeting the computer: the data are object of the crime and computer is used to commit the crime- Incidental- computer is not required for crime but is related to the criminal acto Use of computer: simplifies criminal actions and makes crimes difficult to trace- Associated- technological growth creates new crime targets and new ways of reaching victimso Essentially, new way to commit old crimes*Lines between each type of crime are blurred; transactions may overlap the different types of crimes*Business Risks and Threats to Information Systems1. Frauda. Computer fraud (1989)- any illegal act for which knowledge of computer technology is used to commit the offensei. Fundamentally people fraud- computer system needs human intervention to perpetrate fraudb. Different types of fraud require different computer skillsi. Data diddling - intentional modification of information (basic skills)ii. Theft of info in secure database (advanced skills)c. After series of scandals and lapses in corp. governance: Sarbanes Oxley introduced to restore customer confidence in stock marketsi. Organizations required to publish reports on internal controls in place2. Error- losses due to error vary depending on: (1) where error originated; (2) time it may take to identify and correct iti. Single error when entering product code= wrong item being shippedii. Programming error in transaction system=millions lost and angry customersb. Implementing preventative controls: (1)detects/corrects errors before they occur; (2) prevents financial losses and negative impacts to organization’s image3. Service Interruption and Delays- can bring organization to standstill; lead to missed deadlines for payables and receivablesa. Main categories for service interruptions: accidental, willful neglect, malicious behaviori. Accidental : ex. someone shutting down wrong machineii. Willful neglect: ex. outdated antivirus softwareiii. Malicious behavior: ex. hacker launching a denial of service attack against company’s web site4. Disclosure of Confidential Informationa. Privacy laws- managers and other stakeholders aware of critical need to protect information assets5. Intrusionsa. Main objective : gain access to a network or system by bypassing security controls or exploiting a lack of adequate controlsb. Motivations vary; ex: fun, profiti. Hackers for fun often choose “low-hanging fruit”: data and/or systems relativelyunprotected and easy to accessii. Hackers for profit often target specific organization or information before attack6. Information Theft- targets organization’s most precious asset: information (represented numerically)a. Data includes: trade secrets, marketing plans, advertising campaigns, research and development for new products, customer listsb. Higher losses for corp. because these assets often have higher value7. Information Manipulation- occurs at any stage of information processing, from input to outputi. Input manipulation- most common form of fraud; easy to perform; basic computer skills; hard to detect (may look valid until in-depth examination)i. ex: employee creates fake refunds in payables system to benefit a family memberii. Program manipulation -complex task; extremely difficult to detect; modification and detection require advanced computer knowledgei. Involves modification or insertion of specific functions in the computer information systemiii. Other manipulations take advantage of automatic repetitions of a computer programi. Characteristic of “salami technique”-unnoticeable slices of a financial transaction are removed and transferred to another accounta. Ex: computer programmer employed in a bank could redirect interest smaller than penny into his own account; over time will add up to a large sum8. Malicious Softwarea. Many forms: 1. Virus infecting a system and modifying its data2. Worm replicating over network, causing a bottleneck3. Trojan horse allowing an unauthorized backdoor into a system, directly impacting the confidentiality of files residing in system4. Logic bombs; ex: in payroll system- would detect missing employee number when paychecks are issued and trigger the deletion of all employee records9. Denial-of-Service Attacks- prevent computer systems and networks from functioning in accordance with intended purposea. Attacks: (1) cause loss of service to users by consuming scarce resources with bandwidth, memory, or processor cycles; (2) disrupt configuration information or physical componentsb. In distributed attacks: many compromised systems under control of one or many attackers are used to multiply the impact by launching concurrent attacks against a determined targeti. Devastating to organization; bring computer operations to standstill; virtually impossible to block10. Web Site Defacements- form of internal graffiti where intruders modify pages on the site in order to leave their mark, send a message, or mock the organizationi. Hacktivism : politically-motivated defacement; attempts to send message to organization or part of online community11. Extortion- result of computer being the object of a crimea. Extortionist contacts organization after successfully stealing info or launching a DOS attack; if demands unmet: threatens to reveal info to public or to launch a prolonged denial of service Perpetrators of Computer CrimeWhat distinguishes the individuals that commit computer crimes? The intent to their crime*Any person of any age with computer skills, motivated by the technical challenge; by the potential for gain, notoriety, or revenge; or by the promotion of ideological beliefs is a potential computer criminal*1. Script kiddie- young, inexperienced hacker who uses tools and scripts written by other for the purpose of attacking