Computer Security Management: Assessment and Forensics

Session 8

Computer crime means a crime involving computer resources, including using a computer to commit a crime.

Computer fraud means using computer resources to defraud .

Using a computer to defraud.

Fraud is an intentional act to deceive or mislead, convert assets to one’s own benefit, or make intentional false statements or misrepresentations often accompanied by omission, manipulation of documents or collusion.

Computer fraud is criminal.

Hacking. Deliberate virus spreading. Theft of information, software or hardware. Theft of computer resource usage. Denial of computer services by means of

malicious software or messages. Message interception.

Scams Phishing Defamation of character. Disseminating hate propaganda. Threats Developing, holding or spreading child

pornography.

A perpetrator lacking integrity or ethics

Motivation to commit fraud

Opportunity to commit and conceal fraud

False representation to a substantial degree

Factor to induce a victim or accomplice to act

Intent to defraud

Injury or loss sustained

The fraud provisions of the Criminal Code have been used to prosecute people who used computers to commit frauds.

The Internet is increasingly used to perpetrate fraud because of its reach and the impulse responses of Web surfers.

A complex accounting system raises the potential for “creative accounting” and consequently fraud

The general perception that computerized information is reliable makes computer fraud less susceptible to challenge than fraud committed on paper

Manipulating systems or causing glitches to “smooth” quarterly earnings

Salami, rounding down interest calculation and deposit difference to programmer’s own account

Employee selling of customer lists to competitor

Fictitious insurance policies to defraud insurers and reinsurers

A scheme that uses one or more components of the Internet - such as chat rooms, e-mail, message boards, or Web sites - to present fraudulent solicitations to prospective victims, to conduct fraudulent transactions, or to transmit the proceeds of fraud to financial institutions or others connected with the scheme.

Auction or sales inducing the victim to send money or give out credit card numbers for promised goods

Business opportunity Work-at-home program

Investment scheme

Stock market manipulation by spreading fictitious news about public companies

Identity theft

Segregation of duties

Management and independent review

Restricted access

Code of business conduct to outline what is not acceptable, what is not supposed to be done with organization IT resources, what constitutes conflict of interest.

Intrusion detection and prevention systems

Encryption

Security education

Analytical review

System monitoring

Security check on new hires and contractors

An established process for whistle blowing and investigation

Exemplifying management culture

Lock laptops when not attended to

Scheduled refreshment of web sites from the backup version to nullify even minor changes by hackers such as changing a key word in the user agreement or a rate

Management Actions in Reaction to Computer Crime Damage control by pulling equipment off

the network. Preserve evidence, do not turn off

computers. Call a forensic expert to image the

computer hard disks. Do not use the computer until the hard disk

is successfully captured

Management Actions in Reaction to Computer Fraud Do not set off alarm, let the suspect

continue. Damage control, by making backup of data

and providing an alternate plan. Continue to monitor suspect. Collect evidence behind the scene. Depending on severity, may need to

terminate access or reassign suspect immediately.

Sanitize data behind the scene.

Gathering evidence◦ Rules of Evidence must be carefully followed◦ Chain of custody critical◦ Interviewing personnel◦ Invigilation◦ Indirect methods of proof

Screwdriver and pliers Disk imaging software Hash calculation utility Search utilities File and data recovery tools File viewing utilities Password cracking software Digital camera

Computer crime and computer fraud on the rise

Organizations should adopt a code of business conduct.

Organizations should have chief ethic officers