what does go wrong — the facts
TRANSCRIPT
MARCH - APRIL THE COMPUTER L A W A N D SECURITY REPORT
EQUIPMENT IN TRANSIT:
Most computer policies cover computer equipment as fixed equipment without providing any cover for the risks incurred whilst the equipment is in transit, or whilst being installed or dismantled (apart from fixed maintenance/repair). It may be possible to obtain some automatic cover under the hardware policy but in any event it is important to advise insurers before any equipment move is undertaken.
TERMINALS:
Whilst cover will apply to the locations at which CPU's are installed there may be many other premises that
participate in the DP network. From a convenience point of view, remote terminals should be covered as a generic item rather than having to notify insurers of every new location.
ACHIEVING THE OBJECTIVES
No one insurer provides the right cover in all the areas outlined. You, or your broker, will have to negotiate- and be prepared to compromise. The better your r isk- and the better your presentation of that risk to the underwriter- the better will be your chance of success.
David Davies
THE RISKS INVOLVED IN COMPUTERISATION i i
W H A T D O E S G O W R O N G -
T H E F A C T S
In the last issue of The Report I cons idered the corporate impl icat ions of computer security and outlined the areas of potential risk in the process of computerisat ion. I shall now go on to examine the problem more specifically drawing upon
examples and illustrations of what does go wrong in practice.
RISK AREAS
The following chart illustrates the major risk areas of physical damage and system interference to the computing environment.
RISKS COMPUTING ENVIRONMENT
i
! i
I Physical I I I I damage I
! i I System I "' I interference I I, J
I I I I I
I I P i Io I I w t I E I IRI I i I I I '
Hardware
Air co'nditioning
I I
Communication
I DATA I
Software I Application I Systems
, , , ,
Heat
1 I I I I
I Iw ! IA I IT I E I i RI
I I i I
I
Main frame computers require certain basic amenities in the physical environment in order to function properly. Computer systems, on the other hand, rely on the reliability and integrity of input data, central hardware, system software, communications equipment, and application programs to produce meaningful information which should be accurate and timely to help management with decision making and business administation. I shall examine the two risk areas in greater detail in the following two sections.
PHYSICAL DAMAGE
FACTS AND FIGURES
The causes of damage could range from natural hazards of fire, flood, land subsidence, etc. to deliberate acts of arson, explosion, vandalism and sabotage. Damage may be inflicted on various physical assets ranging from equipment, the physical environment, to storage media, documentation and people. This is illustrated below:
15
THE COMPUTER LAW A N D SECURITY REPORT 6 CLSR
CAUSE OF D A M A G E
- FIRE
- FLOOD
- EARTHQUAKE/SUBSIDENCE
- ILLEGAL ACT
ARSON EXPLOSION
VANDALISM
SABOTAGE
PHYSICAL ASSETS
EQUIPMENT/NETVVORK ENVIRON MENT
DOCU M ENTATIO N
INPUT/OUTPUT DEVICES STORAGE MEDIA
STATION E RY
DATA/FILES
SUPPORT SERVICE PEOPLE
Many cases of computer fire have been reported in the UK. Except for minor fires that were put out promptly and caused little damage, others have been rather devastating and caused extensive damage to both buildings, plant and equipment. Total losses on equipment damage and business interruption tend to run into hundreds of thousands of pounds in each case. In some cases such losses ran into millions of pounds.
More than 50% of the fires were started outside the computer services suite, 25% were started in the installation, but outside the computer room, and 16% in the computer room itself. 35% of the fires were deliberately started by disgruntled staff and ex- employees, including security guards and works firemen. Electrical faults caused 30% of the fires.
The popular times for setting fire to equipment and premises appeared to be the early hours of the morning. As a rule such were the times when the premises were unmanned and most vulnerable attack.
The above statistics have reinforced the need for adequate fire resistant partitioning both within the installation and from the non-DP functions in the company. Early detection systems should be installed with automatic total flooding systems, in addition to good procedures in the computer room. A contingency plan, which should be tested and proven, ought to be provided to speed up the recovery operation from a major disaster.
Many cases of flooding of computer centres have been recorded in the UK. Many of these were the result of severe winter conditions causing burst pipes. A few were due to heavy rainfall in low-lying areas or a river bursting its banks, or air-conditioning malfunction, causing pipe overflow. The last category resulted in water accumulating in the floor void and could take some time to discover. There was even one case reported of the flooding of an installation located on the twenty-second f loor of an office building in London ! Most modern computer buildings are now provided with sloping true floors with proper drainage. Some older ones have intalled moisture detectors in the floor voids, There have been a number of cases reported of fire and explosion caused by such extremist groups as the IRA,
and of vandalism by youths. One of the installations suffered two cases of arson where fires were deliberately started in the same areas, causing serious hold-up in business and inflicting £500,000 of damage on each occasion.
The gloomy economic forecast for the 1980s indicated further depression and higher unemployment. Extremist groups wil l continue to flourish with occasional bouts of activity. Intellectuals with extremist views in pursuit of ideological goals are particularly dangerous in the community because their schemes of perpetration could be extremely well planned and executed with sophistication. This was exemplified by 27 cases of bombing of computer centres in Italy in the late 70"s by the Red Brigade, and several cases recently in Germany by the Red Army Faction. In France several cases have been reported of bombing of computer installations by an extremist group called CLODO (the Committee to Liquidate or Neutralize Computers) and the Direct Action Group. The importance of access control into computer installations and computer rooms cannot be over- emphasized, especially outside office hours.
Good recruitment and termination procedures, along with regular progress reviews of staff performance would help to provide early warning of disgr, mtlement and to initiate preventive measures to pre-empt possible abuse to the installation. Contingency planning plays a key role to ensure the continued survival of the organisation.
SYSTEM INTERFERENCE
There are two forms of interference to computer systems. The abnormal events include fraud, theft, privacy breaches, industrial action and others, and the normal events include euipment breakdown, system breakdown or malfunction, and errors and omissions.
Abnormal Events
Statistics of computer abuse in both the USA and the UK indicate that the trend is growing. In the USA, average losses were £850 ,000 for each case, whereas in the UK most of the computer frauds involved losses averaging £31,000 each. Isolated cases, on the other hand, could well exceed £1M. Schemes of perpetration vary, but were in the main exploiting simple loopholes discovered in systems.
16
MARCH - APRIL THE COMPUTER L A W A N D SECURITY REPORT
For example, payment was authorised for goods on order but were never delivered, and special discount facilities were exploited for private gain. A number of cases also involved collusion between employees and outsiders. Over the last two years, a number of fraud cases on Electronic Funds Transfer systems have come to light. Losses run to millions of pounds in every case. Over fifty cases have been reported of covert sabotage to equipment, data, programs and computer services, planting of logic bombs in programs to cause the contents of program and data files to self-destruct at a • future date, malicious attack and vandalism of equipment, theft of valuable information and programs, as well as illegal penetration of t ime- sharing systems.
New technology has brought impetus on business users to exploit the merits of electronic office, word processors, point-of-sale systems, and electronic mail. The security and protection requirements of these new systems may not be well-defined when these are introduced into the organisation and could fall prey to potential abuse. The proliferation of small business systems available on mini- and micro- computers and with such equipment kept in office areas is becoming a growing concern for management. The relatively high value of such systems among other office equipment has brought about a number of reported thefts of portable computer equipment housed in areas with little access control. Moreover manning of such small systems tends to be restricted to one or two individuals with overlapping authority of several normally segregated functions. For example, the person feeding in routine business transactions could well be the same individual who runs the equipment as well as maintaining the software. Unless the associated clerical control procedures are adequate, small business systems could be exploited to perpetrate simple frauds and other forms of abuse by disgruntled or dishonest staff in charge of such systems.
This is exemplified by the misuse of police computer systems to recruit new clients for gaming clubs and disclosure of sensitive market plans and new product information through exploiting ill-conceived confidential waste disposal procedures in computer installations. The new Data Protection Act requires data users and computer bureaux to take adequate precautions to safeguard the integrity, timeliness and availability of personal data held in computer systems. Both the organisation and its senior executives could be liable for individual prosecution or fines if the inaccuracy, loss or destruction of personal data resulted in personal distress or financial damage to data subjects, through failure to provide reasonable security to safeguard the interests of data subjects.
Access control procedures would need tightening up, enforced by secure operating systems, sophisticated access control software and promotion of staff security awareness. The 'need to know' and 'right of access" of confidential information should be reviewed, in some cases, protected by applying encryption in data
transmission. Again, early detection would be facilitated by proper audit trails, monitoring for access violation and active involvement of internal auditors in system design.
There were several cases of school boys penetrating into time sharing systems to obtain free services or to browse through information available on-line. The computer hackers managed to get into Prestel to look at the Duke of Edinburgh's private electronic mail and into dial up networks of hospitals, stock brokers, oil companies and the Atomic Energy Authority. The most effective means of curtailing the activities of hackers would be to use some front-ended equipment to hold the lists of user identity, password and his telephone number. On successful entry of the correct user I D and password, the equipment will disconnect the call and ring back the caller with the telephone number stored in memory before connecting him to the on-line systems. Also the installation of low cost encryption devices for data transmission will look increasingly attractive to deter computer hackers.
With the phenomenal growth of personal computers, the number of computer hackers will grow naturally. So far hacking in the UK is merely regarded as an intellectual curiosity. As long as the database was not corrupted or tampered with, the current legislation is powerless to bring prosecutions to stem the tide. It may not be too long before hackers begin to realise the value of information being accessed and to exploit the information obtained from private gain. Already in France and Germany, information obtained from sensitive applications has caused acute embarrassment to the authorities.
The Data Protection Act 1984 requires data users to provide adequate security against unauthorised access to personal data. Computer hacking would appear to be one weak area which should be addressed by users of dialup networks.
The UK has been particularly vulnerable to industrial disputes in computer installations over the last few years. Some disputes were caused by non-DP staff in dispute picketing computer installations to prevent staff access. Others were caused by computer staff involved in disputes working to rule, occupying premises, or going on strike. The most disruptive strikes were those involving the Post Office and the Civil Service in 1979. In each case, several hundred million pounds of cash flow as delayed through the planned withdrawal of a small number of computer ,operators for an extended period. At the time this led to the Government considering planning to combat future strike action by stiffening industrial relations legislation and reverting to free collective bargaining with total relaxation of pay restraint policy. The recent strike by the computer operators in the DHSS installation in Newcastle has caused the Government over £160 million in additional manning to provide emergency cover to effect payouts of pensions and family allowance for several months.
NORMAL EVENTS
Equipment breakdown could happen to the central hardware, input/output devices, ancillary equipment,
17
THE COMPUTER LAW AND SECURITY REPORT 6 CLSR
communications equipment and others, with varying degrees of impact on the installation. The technological advances over the last few years have rendered equipment more reliable at the individual unit or component level. However, the general architecture of hardware units and systems is getting more complex. Depending on the importance of individual units of equipment, there could be redundancy features built into the system to alleviate a total breakdown arising from individual unit failure. If necessary, whole systems could be duplicated either at the same site or remotely. Standby arrangements could also be made with hardware manufacturers, another company or a computer bureau. Such arrangements ought to be formalised and regularly reviewed to ensure that standby resources are adequate and available on demand. Good re-start and recovery procedures are essential for maintaining the integrity of computer system s. Most software and application system breakdowns or malfunctions arise as a consequence of poor design, insufficient system testing and inadequate consultation with users during development. The trend is for more complexity in the systems and software in order to improve performance and to integrate mutually dependent functional areas. The design philosophy and system architecture on the other hand, tend to be moving towards modulatiry. There is growing usage of user friendly microcodes and 'middleware' which could bend the hardware architecture towards the environment of the user to facilitate his system and programming efforts. Errors and omissions sometimes contribute to system breakdown and malfunction. For example, in the US a
programming error in the design calculation for the nuclear reactor cooling system has caused a structural weakening of cooling pipes and resulted in the evacuation of local residents in Three Mile Island. An inexperienced operator working alone on a night shift responded incorrectly to an error misread message from a disk pack and ruined all the three generations of files on various disk packs, in addition to damaging all disk drives on site. In another instance, a telephone subscriber was billed for £2,1 72 for making two local calls.
Major computer manufacturers have made considerable efforts to combat operational errors and omissions in computer installations by providing large operating systems to reduce the extent of operator intervention and to provide more meaning full error diagnostics. Data processing management are channelling more efforts to adopt formal system development methodology, coupled with heavy emphasis on system documentation, structured design, structured walk- through and system testing. Installations are going for centralised data control and validations such as data directories and data dictionaries. There is more emphasis on staff and user training, on the handling of equipment and systems, as well as the insistence of operation standards and procedures and the provision of comprehensive error diagnostics and restart and recovery procedures. Such problems can only be tackled by a sustained effort on all fronts.
Dr. Ken Wong, Manager BIS Applied Systems Ltd.
Dr. Wong is an internationally recognised consultatnt in the field of computer security.
U.S. FOCUS
COMPUTER ABUSE: THE LITERATURE G R O W S At the 1985 meeting of the American Society of Criminology, Professor Erdwin H. Pfuhl, Jr. presented a very interesting paper entitled 'Computer Abuse: Thoughts on the Social Construction of Crime'.
In his paper, Pfuhl pointed out that there has been, as he puts it, a 'moral crusade" in the United States concerning computer security. He says there has been a strong media blitz in this country by some 'crusaders" to point out that computer abuse is a crime. However, he says what is defined as computer abuse is still debatable, in some states. For his research, Pfuhl conducted a literature search on the number of articles on computer abuse as indexed by the Reader's Guide to Periodical Literature for the years 1972 through 1984. The graph on the following page is based on Pfuhrs data.
The Equity Funding fraud is the famous case where a computer was used to keep track of roughly 64,000 bogus insurance policies. The resulting fraud totalled $2 billion, second largest only to the Associated Gas and Electric bankruptcy case in the 1940"s. (Bankruptcy as defined under Chapter X of the United States Bankruptcy Code). Pfuhl noted that about half of the computer crime articles in 1973, dealt directly with the Equity case.
While the paper is basically a sociological piece, written for sociologists, it proves to be interesting and thought-provoking to the criminal just ice/ legal practitioner because of the issues Pfuhl raises. You can contact Professor Erdwin H. Pfuhl Jr. at the Department of Sociology, Arizona State University, Tempe, Arizona 85281, USA, Phone: (602) 965-3546.
As the chart indicates; 1973 was the first time there was any real discussion in the media about computer crime. It turns out that 1973 was also the year the Equity Funding Corporation fraud occurred.
18