DOCSLIB.ORG

Computer Security: Crime and Fraud Protection

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

COMPUTER SECURITY: CRIME AND FRAUD PROTECTION Delta Publishing Company 1 Copyright 2005 by DELTA PUBLISHING COMPANY P.O. Box 5332, Los Alamitos, CA 90721-5332 All rights reserved. No part of this course may be reproduced in any form or by any means, without permission in writing from the publisher. 2 WHAT THIS COURSE WILL DO FOR YOU COMPUTER SECURITY: PREVENTING COMPUTER CRIMES is written primarily to help business executives and information systems/computer professionals protect the computer and the data from a wide variety of threats. Computers are an integral part of everyday operations. Organizations are dependent upon their computer systems. A failure of the computer system is likely to have a critical impact on the organization. Potential vulnerabilities in a computer system could undermine operations and therefore, must be minimized or eliminated. This course addresses a wide range of computer security issues. It is intended to provide practical and thorough guidance. The emphasis is on practical guidance rather than on theory. It helps managers improve computer security in their organizations. Security concerns have heightened in the recent years. News events about computer related data errors, thefts, burglaries, fires, and sabotage dominate. The nature of the computing environment has changed significantly. The increased use of networked computers, including the Internet, Intranet, and Extranet, has had a profound effect on computer security. The greatest advantage of remote access via networks is convenience. This convenience makes the system more vulnerable to loss. As the number of points from which the computer can be accessed increases, so does the threat of attack. More caution is clearly needed to counter such threats. Weak computer security and lack of internal controls increases an organization's vulnerability. The major steps in managing computer security are discussed in this course. We help business executives identify resources in their organizations that need to be protected. Sometime, the organization may not even consider the information to be "valuable" to anyone else and may not be willing to take security precautions. This is a serious mistake. Frequently, hackers are interested in obtaining access to private or confidential information. Hackers often steal or destroy data or information simply because it is there! Other hackers may delete or destroy files in an attempt to cover their illegal activity. The course highlights the need for a comprehensive security plan in an organization and explains why a casual attitude towards computer security is never justified. The costs and benefits of various security safeguards are also discussed. The cost of a security safeguards includes not only the direct cost of the safeguards, such as equipment and installation costs, but also indirect costs such as employee morale and productivity. It is important to recognize that increasing security typically results in reduced convenience. For example, employees may resent the inconvenience that results from implementing security safeguards. Too much security can be just as detrimental as too little security; a balance must be maintained. Special emphasis is given to contingency planning. Assuming that security is violated, how do you recover? What are the data backup policies? What are the legal consequences? What will be the financial impact? A risk analysis should be performed in planning computer security policies and financial support. 3 Computer security risks fall into one of three major categories: destruction, modification, and disclosure. Each of these may be further classified into intentional, unintentional and environmental attacks. The threat comes from computer criminals and disgruntled employees who intend to defraud, sabotage, and "hack". It also comes from computer users who are careless or negligent. Lastly, the threat comes from the environment; an organization must protect itself from disasters such as fire, flood, and earthquakes. An effective security plan must consider all three types of threats: intentional attacks, unintentional attacks, and environmental attacks. Insurance is also discussed in the course. What is the company's degree of risk exposure? Insurance policies should be taken out to cover such risks as theft, fraud, intentional destruction, and forgery. Business interruption insurance covers lost profits during downtime. This course addresses the security concerns of business managers. This course is designed as a practical, “how to” guide. We provide extensive examples to illustrate practical applications. The tools and techniques in this course can be adopted outright or modified to suit individual needs. Checklists, charts, graphs, diagrams, report forms, schedules, tables, exhibits, illustrations, and step-by-step instructions enhance the course’s practical use. Answers to commonly used questions are also given. 4 TABLE OF CONTENTS What This Course Will Do For You Chapter 1—Organizational Policy Chapter 2—Physical Security and Data Preservation Chapter 3—Hardware Security Chapter 4—Software Security Chapter 5—Personnel Security Chapter 6—Network Security Chapter 7—Security Policy Chapter 8—Contingency Planning Chapter 9—Auditing and Legal Issues Chapter 10--- Computer Crime, Cyberfraud, and Recent Trends GLOSSARY 5 CHAPTER 1 ORGANIZATIONAL POLICY Learning Objectives: After studying this chapter you will be able to: 1. Develop organizational policies. 2. Devise and implement security administration concepts. 3. Utilize a physical security system. 4. Prepare and install procedural security safeguards. 5. Implement a logical security or access control system. 6. Establish a security policy. 7. Appoint a security administrator to set security policy. Today the cost to businesses of stolen, misused, or altered information can be high, especially if real or purported damages to customers can be traced back to mismanagement. That’s why you must value your information resources within the context of your business goals and constraints. The objective of security management is to eliminate or minimize computer vulnerability to destruction, modification, or disclosure. Before we can discuss information security, we must see how that security works. A key consideration is the physical location of the organization. Naturally, more security is needed in areas of high crime, although this may take the form of less expensive generic physical measures. Who uses the information will also affect the security measures chosen. Some users need to alter data; others simply need to access it. If a security plan is to be effective, top management must be fully convinced of the need to take counteractive steps. To assess the seriousness of a computer breakdown or loss of data, each business has to evaluate threats to the company, the potential losses if the threats are realized, and the time and cost that will be necessary to recover from any breach in security. The proliferation of networks scatters security issues across the globe and increases the need for inexpensive but effective levels of security. Physical security measures reflect the location of each component, but procedural measures, especially in a large organization, though they may seem obtrusive, are of equal importance. Personal computers are another potential security threat. More and more people operate their PCs with telecommunications services to connect to central computers and network services. To limit the damage that can be done each user must be identified and that identity authenticated. The user is then allowed to perform only authorized actions. 6 Audits can be very valuable for detecting security violations and deterring future violations. A security violation may be indicated from customer or vendor complaints that show discrepancies or errors; on the other hand, variance allowances can cover up fraudulent activity. Audit trails used to produce exception reports are especially valuable to managers. Standard questions include who accessed what data, whether the data were altered, or whether access-only employees attempted alteration. Exception reports are best used daily because they are after-the-fact reports. You may also choose to look only at reports from areas of high vulnerability or where there is a history of corruption or attempted corruption. A good manager will know the types and forms of information generated and how the information is used by the business before planning how to manage it. Security measures in an information resource management program must be practical, flexible, and in tune with the needs of the business. A risk-management approach recognizes alternatives and decision choices at each step in information resources management in order to develop a program that meshes with ongoing business practices. It is your responsibility as a manager to (1) assist with the design and implementation of security procedures and controls, and (2) ensure that these remain effective by continuous internal audits. To do this you must: • Identify the risks. • Evaluate the risks. • Install appropriate controls. • Prepare a contingency plan. • Continually monitor those controls against the plan. Misuse of information is costly. Ask yourself, “Where in the business scheme does this information work?” identifying not only the department but also the type of usage (strategic, tactical, operational, or historical). This will help you determine how secure that information must be. Its value must justify the expense
Recommended publications
  • Surveillance Self-Defense – Mac OSX

    Surveillance Self-Defense – Mac OSX

    Tips, Tools, and How-To’s for Safer Online Communications Mac OSX Edition This work is licensed under a Creative Commons Attribution 3.0 United States License. Any other content within this work that may not be covered by this CC-BY license is hereby used under the intention of Fair Use. No copyright infringement intended. 2 Editor’s Foreword This edition of the Electronic Frontier Foundation’s Surveillance Self-Defense Project has been arranged into a downloadable PDF version for ease of use as a printable copy to benefit Macintosh users. Many people have expressed interest into both the why and how of secured record archival, and so I think EFF’s SSD helps to facilitate the remedial education that was not provided in any government school curriculum. The intention here was to assemble the SSD into a format that could be useful to someone who doesn’t yet have access to the Internet, or who would otherwise appreciate an archived version of the SSD. Screenshots from a few of the tutorials have been omitted for the sake of brevity. Minor grammatical and punctuation errors have been corrected. It is my sincere desire that the SSD serves to increase the quality of your security culture, as it has done for mine. Please do keep in mind, though, that security culture is not just limited to cellular telephones, laptop computers, and the Internet, but also includes your home, your automobile, and your persona. I do hope the SSD helps you protect your documents through secured record archival. Kyle Rearden Austin, Texas June, 2015 3 Table of Contents
  • Bishop Fox Cybersecurity Style Guide

    Bishop Fox Cybersecurity Style Guide

    BISHOP FOX CYBERSECURITY STYLE GUIDE VERSION 1.1 JUNE 27, 2018 This work is licensed under a Creative Commons Attribution-ShareAlike 2.0 Generic License. Bishop Fox Contact Information: +1 (480) 621-8967 [email protected] 8240 S. Kyrene Road Suite A-113 Tempe, AZ 85284 Contributing Technical Editors: Brianne Hughes, Erin Kozak, Lindsay Lelivelt, Catherine Lu, Amanda Owens, Sarah Owens We want to thank all of our Bishop Fox consultants, especially Dan Petro, for reviewing and improving the guide’s technical content. Bishop Fox™ 2018/06/27 2 TABLE OF CONTENTS Welcome! ................................................................................................................................. 4 Advice on Technical Formatting ........................................................................................................ 5 What to Expect in the Guide .............................................................................................................. 6 The Cybersecurity Style Guide .............................................................................................. 7 A-Z .......................................................................................................................................................... 7 Appendix A: Decision-making Notes .................................................................................. 96 How We Choose Our Terms ............................................................................................................96 How to Codify Your Own Terms ......................................................................................................97
  • Cryptography, Digital Signatures, & Related Technology

    Cryptography, Digital Signatures, & Related Technology

    Cryptography, Digital Signatures, & Related Technology Robert H. Sloan! Cryptography "The science of sending secret messages "Ancient history; people always interested in it "Mentioned in Herodotus (steganography); tool of Julius Caesar. Overview " Uses: Secrecy, integrity, nonrepudiation, authentication " Implementations: " Rotor machines (Haeglin, Enigma) " Computers, special- purpose chips, etc. Most basic scenario "Alice uses encryption algorithm E to transform her message m, the plaintext (or cleartext), and a key k into ciphertext E(m,k). "Intended recipient has key that allows him to decrypt the ciphertext E(m,k) and get back m. Crypto 1800–1975 "In past century or two, secrecy rests upon secret key. I.e., ciphertext can be decrypted by anybody possessing (or guessing) the secret key. "Before modern era (c. 1976– ), security rests on some sort of mixing and can be broken with enough samples by statistical techniques (with exception of one-time pad) Aside: Breaking Enigma " Family of German rotor machines. " Commercial originally; military Wehrmacht version is the famous one. Breaking The Unbreakable " 1932: Trio of Polish mathematicians led by Marian Rejewskibroke 3- rotor plus plugboard machine Enigma continued " 1939: Germans went up to 5 rotors; more than Polish system could handle " July 1939 Polish mathematicians gave their techniques to French & British " September 1939, Turing at Blechley Park begins effort to build Bombe to decrypt this Enigma—and succeeds! Modern era: 1976– "Cryptography based on (computational) complexity theory—theory of what can be computed quickly versus what can be computed slowly "Goal: encryption, and decryption with possession of proper key can be computed very fast; decryption without key is very slow (e.g., 1 million years on best supercomputer).
  • Certificate Authority

    Certificate Authority

    Some Cryptographic Implementations October 10 – 14, 2016 Guinee Conakry By Marcus K. G. Adomey Chief Operations Manager AfricaCERT Email: [email protected] OVERVIEW . Fingerprint . Digital Signature . Certificate Authority . Digital Certificate . Key management . Public Key Infrastructure (PKI) . Web of Trust . Secure Socket Layer (SSL) Public Key Fingerprint Public Key Fingerprint . Public key fingerprint is a short sequence of bytes used to identify a longer public key. Fingerprints are created by applying a cryptographic hash function to a public key. Since fingerprints are shorter than the keys they refer to, they can be used to simplify certain key management tasks. In Microsoft software, "thumbprint" is used instead of "fingerprint." Digital Signature Digital Signature . A digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and possibly to ensure that the original content of the message or document that has been sent is unchanged. Digital signatures are easily transportable, cannot be imitated by someone else, and can be automatically time-stamped. The ability to ensure that the original signed message arrived means that the sender cannot easily repudiate it later. A digital signature can be used with any kind of message, whether it is encrypted or not, simply so that the receiver can be sure of the sender's identity and that the message arrived intact. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, that the sender cannot deny having sent the message (authentication and non-repudiation), and that the message was not altered in transit (integrity).