Jidaw Systems
(MASTERCOMPUTERS)


Fighting Internal Crime before it Happens - the Enemy within

French Version

Information Technology (IT) becomes a critical mission when business goals cannot be achieved without it's continuous, effective ad efficient support e.g. when the enterprise cannot exist without Information technology. The enterprise today has grown increasingly dependent on Information technology infrastructure.

Most organizations today have installed computers of various sizes for processing data into information knowledge. Too much emphasis appears to have been placed on the technology and too little attention on the security of the valuable business wealth contained in the information being managed with Information Technology Department.

This is perhaps the worst risk facing business today because security awareness among the non-computer professional is very low.  To ensure that organization's information technology and business systems are adequately controlled, monitors and assessed, there is need for establishment of and compliance with appropriate standards, procedures and controls of information system security.

Information Technology Department perform a valuable services, often put in a long hours effort to improve the system performance. Management who have other pressures and probably do not share their all-consuming interest in Information Technology matters are usually inclined to leave them to their work with minimum supervision.  In some organizations the management often feel that, since it is not their area of expertise, there is no need for supervising or restricting the activities of the Information Technology specialist.  Unfortunately there are major risks with this approach.

 

Whistling in the dark

The question is "How would you know if he/she sabotaged or manipulated computer systems out of a desire to make an illicit profit, or from sheer malevolence. 

System security officers who wishes to address security of the system effectively must be aware that their management may only have a limited view of their problems.  In some cases, carefully constructed security standards and procedures are dismissed with a wave of hand or with a comment such as "' I have no time to go into that" thereby putting the system security officer or officers at loggerhead with Information Technology Department staff.  Most organization demonstrates a "whistling in the dark mentality" i.e. Management will not do anything until and unless something goes wrong.

Complete lack of management commitment in many cases has rendered an expensive security initiative ineffective. Therefore it is essential to educate management away from these attitudes.   

 

Exposure 

Internet or  (WAN) Wide Area Network exposes the organization to several risks. Some of the risk however is inherent in the organization itself. And not necessarily on the Internet or external network.  The internet utilizes a public network as a transaction medium. As a result the organization and whatever systems they are using are hereby exposed to the risks of unauthorized access and hacker attacks. Service disruptions and spurious transactions may follow.

Even if you have just built the most effective access control system or installing a firewall is not enough for you to relax because even the tightest access controls can not keep your organization's critical systems secure without effective review and analysis of security events.  To catch intruders or identify internal risks, you need to collect and analyze and analyze audit trail on regular basis.  That means a lot of data and a lot of analysis.

 

The enemy within

Some of the most crippling crimes against an enterprise are committed by the organization's own employees. This is why control over the IT experts and users who use it is critical.  Uncontrolled systems development will automatically produce systems, which are uncontrollable. Bugs and other accidental errors will proliferate while these systems become fertile breeding ground for attempts at fraud. i.e. Data Didlling, Trojan horse, salami technique, virus, rounding down, logic bomb , etc.

Anyone can make a mistake and the consequences of these must be contained by effective security controls. More worrying and increasingly frequent are malicious acts of sabotage or fraud. Sabotage or frauds are more likely to occur if the chances of detection are very low.  Carefully constructed, comprehensive security policies, standard and procedures will reduce the opportunity to commit crime and increase the possibility of detection.

 

Motivating factors

The types of damage a criminal employee may inflict are as varied as the employees themselves. Very few operate out of revenge, but greed is much more common motivator. A dishonest employee see his/her employer as an easy source of funds and be convinced that since he/she is stealing from an organization rather than individual, no one is getting hurt.  These crimes are generally motivated by greed and are common in our financial institutions. However, the chances of detecting some of these atrocities are minimal hence they are not reported.

 

The How

The scams perpetrated by computer fraud offenders are elusive, creative, complex and sometimes include a thorough knowledge of IT and business processes. Most users interact with the computer system only through the application software.  The application software enables and also limits the action that a user can do.  The first thing the system auditor or security administrator needs to know is what does the application software do and what activity does it perform. After this, it is necessary to identify the potential risks associated with the business function served by the application i.e. (what can go wrong) and see how thee risks are handle by the software (what controls it). 

For application review, the system auditor or security administrator's knowledge of the intricacies of the business is important as well as the technical knowledge.  In the application environment, restricting and monitoring of users activities can be automatically logged by the computer and reported. Fraud in this environment can be easily detected and checked by setting the parameters correctly.  

In the batch-processing environment, restricting and monitoring ordinary user with different profiles can automatically logged by the application and reported.  In online systems, the avenues of access are more complex.  

The method to be adopted incase of super users i.e. Information Technology staff should be different since they have access to the Operating system, the Relational database environment and the application.  They can be allowed to login to the application just like every other user once the access to the application requires two authentication methods.  

 

The Information Technology Department

The organization of Operations unit or systems unit of Information Technology Department should allow for proper division of duties to ensure that the potential for unauthorized operation and fraud is minimized. The system log should be analyzed to provide the management with detailed information on all normal and abnormal occurrences during each processing period. The availability of the log is extremely valuable.  Effective security demands that this happens and that evidence of their resulting activities is documented.  

The white-collar criminal investigative capabilities of law enforcement organizations in this part of the world are very low. Businesses suffer threats to their security from many different types of attacks.  Hackers exploiting weakness in defenses, employees exploiting their trusted status and brute force attacks on password all must be guarded against.  

Computer fraud in my own opinion simply means frauds committed using the computers as an accomplice by manipulating programs and data files.  It is necessary to identify the correct mix of deterrent, preventive and corrective controls, which needs to be applied in each installation.  The objective of security in this area is to optimize productive computer time, lessen the risk of error and fraud, eliminate unauthorized work and secure the confidentiality of information.

In some organizations, IT Dept staff still log on to the system using root user-id and passwords.  This system of operation should be discouraged because even operators in the most efficient installations occasionally make mistakes.

 

Root is a very powerful user; any manager or root user who carelessly uses its privileges can accidentally destroy an entire operational file system. As root, the super user special system privileges include complete access to any file or directory as well as the privilege to do the followings:

1.                   Override all file mode permissions  

2.                   Bypass all normal security checks

3.                   kill any existing processes and even

4.                   shutdown the system.

With the above permissions, you can go to the relational database environment and amend the programs or file without being noticed or detected. This act is called data didlling. Internal accounts balances can be manipulated, statement entries amount can also be changed, account activity files can also be amended, individual account balances can be manipulated and even the consolidated account balances can also be manipulated.  

In a situation where the above manipulation is amateurishly done, this will result in an untraceable difference in general ledger or balance sheet. These differences however do not prevent the culprit from withdrawing the fraudulent and inflated amount across the counter with a smile or a "Thanks you are welcome" comment from the unsuspecting paying cashier or teller.  

The entire of process of the data didlling will take the culprit less than five minutes if he/she is familiar with the commands of the relational database environment.

 

Control

How do we adequately and effectively control the use of the root user-id and password to prevent abuse and misuse as well as monitoring the activities of a root user-id or super user on the system?  

First, The management should adequately empower the security administration function personnel to monitor compliance with report exceptions and enforce strict adherence to laid down policies and standards.  

The security administrator should also think like a thief by considering the followings:  

1.                   Where are the weakest links?

2.                   How can the process be attacked without drawing attention to an individual?

3.                   How can the evidence be destroyed or hidden?

4.                   Can auditor, for example be misled or distracted during a review?

 

Based on the above scenarios, the following steps should be taken

1.                   IT Dept staff are to use their individual profiles with assigned super user privileges  (if need be) to foster transparency and individual accountability by creating logs for all access to operating systems, relational database environment and actively monitored by the security administrator.

2.                   Restriction of root user-id to console

3.                   Injunction forbidding development activities on live operational machines

4.                   Ability to track and monitor the usage of remote execution commands to ensure they are not used for fraudulent motives.

5.                   Usage of  ‘FTP'  (File Transfer Protocol) facilities should also be monitored and parametised to forestall any unpleasant consequences.

 

The computer is the network, the desktop or PC may look like a single user system, but the true power of computer comes from the myriad systems to which it is connected.  

Information is now one of the most important assets an organization can own and one of the toughest to secure. Human resources are also important because no matter how big an organization, the people have always represented the heart and soul of an organization's success.  Anyone involved in the security knows that people are also the biggest threat.

The only secure network is the one with no users at all.

By:

Mukaila Apata-Akinsemoyin 

Mukaila Apata is a System Auditor and Security Administrator with over 18years
of experience in banking systems, programming and system analysis. In addition
to his System Audit expertise, he has a strong background in Unix, Relational
database management software and Globus banking software. This is the summary of the paper he delivered at the International Conference on Computer Security and Cybercrime in Africa held on March 28-30, 2006 in Lagos, Nigeria

Drop him a line.

 

Join the African Information Security Association (AISA)

Read the 2006 Computer Security and Cybercrime in Africa Conference Report

Read the communiqué on the 2006 International Conference on Computer Security and Cybercrime in Africa

Objectives of the African Information Security Association (AISA)

AISA Country Secretariats

 

Link to this Content/Resource

We appreciate you notifying other webmasters about our Content and Resources. You can even link directly to this content article!

For instance. If you like this resource or any of our resources, please add a
link to our website using the following HTML code: 

<a href="http://www.jidaw.com/security/aisa/internal.html">Fighting Internal Computer Fraud</a><br>
Information Security Strategy


MORE ..Attend the next FREE IT Career Seminar.. and Get IT Career Tips and Insights: 

More Information Security Resources

 

Click this link for learn more about the African Information Security Association (AISA)

 

 

What Do you Have to Say? Post Your Comments about this Content Resource Here.

Comments

comments powered by Disqus

 

September 23, 2006

Jay from Ikeja, Lagos says:

 

 

Are the banks listening? How well protected are their ICT systems? CBN must take information security audit seriously. Or are they waiting for EFCC?

 

 


Innovation is integral to Sustainability

Read more

Samsung Galaxy Grand Prime: Important Features and Sincere Impressions

Read more

Girls in ICT Day Events and Activities

Read more

Self Worth, New Year

Read more

Girls in ICT Day Events and Activities

Read more

Level of OSS deployment and usage in Nigeria

Read more

Students face the Reality

Read more

Self Worth, New Year

Read more

DISRUPT THE STATUS QUO!

     
1.

Ideas are not enough. You must be action oriented to improve your future.

 

 
2.

Don't just think but act. You get results not only from thinking but from acting.

 

 
3.

You have ideas. You want to achieve. You want opportunity.

 

 
4.

But what are you still doing in your comfort zone? The comfort zone is a dangerous place.

 

 
5.

"I wanted to", "I was going to" cannot put on a light bulb, not to talk of moving you forward.

 

 
6.

Aren't you tired of hoping and criticizing? Stop defending status quo that locks you down.

 

 
7.

GO on the offensive now with IT Education and Empowerment.

 

 
8.

What is the use of ideas without action?

 

 
9.

Start becoming the achiever you deserve to be.

 

 
10.

MAKE SURE THERE IS NO STANDING ROOM FOR EXCUSES.