8.7.1 Internal Control and Security Systems
8.7.2 Factors that Encourage Computer Crime
8.7.3 Factors that Discourage Computer Crime
8.7.4 Security Countermeasures to Computer Crime
8.7.5 Solutions
It would be nice to assume that everyone associated with a business is honest. A totally honest workforce would certainly eliminate the need for controls to prevent crime. Of course, that assumption is not viable. People will commit crimes for many reasons, some of which are rational, others of which may make no sense to the observer. The larger the organization, the more likely it is that someone is out to commit a crime. Managers who subscribe to this belief are not necessarily paranoid. In fact, most managers can name their disgruntled employees.
There are those who will steal under the best of employment circumstances. Scott Charney, founding director of the Justice Department's computer crime section and now head of security at Microsoft Corporation, observed that "at any given moment, there is a percentage of the population that is up to no good." Others would not steal even if they were the worst treated employees of Ebenezer Scrooge in A Christmas Carol (the Scrooge prior to ghostly visits, of course).
8.7.1 Internal Control and Security Systems
Internal controls and security systems are designed on the basis of past experience, both in the company in which they are installed and in other companies. The challenge here is to build in enough controls to discourage and discover criminal behavior without breaking the bank in costs or going overboard on security. Companies that have been victimized often react by increasing controls to the point at which the controls can become oppressive and actually interfere with company operations. Although rational companies set up rules to define acceptable and unacceptable behavior, too many constraints make people feel oppressed, distrusted, and under constant surveillance. If the employees perceive what they consider to be excessive controls that make it difficult or impossible to carry out their jobs, they will put infinite energy into finding "workarounds" that let them get their work done, even if these subterfuges violate the controls.
Since its very founding, our society has been based on freedoms and rights. Citizens highly value our freedoms of speech, religion, and assembly but these freedoms are not absolute. Citizens can speak their minds but cannot freely slander or libel another individual. Citizens cannot, as one famous jurist put it, feel free to yell "FIRE" in a crowded theatre. Citizens cannot trade on inside information or release secret company information without expecting to suffer legal consequences.
Well-designed controls should provide similar checks and balances. The risks, threats, and other vulnerabilities in today's marketplace and technological environment need to be considered, while responsibilities to employees, the value of their contributions, and their need for satisfaction in the workplace need to be taken into account. This consideration includes the provision of a work environment that encourages outstanding performance, profitability and efficiency.
A competent systems analyst or information security specialist can design layer upon layer of controls. Those in excess of what is required by the nature of the risks are not cost-effective. They can place undue burdens both on those who must work under them and those who must monitor and control them. A company's requirement for effective internal controls does not represent a justification for a siege mentality or the construction of an impregnable fortress. Done effectively, the development of internal controls is a matter of proper balance and equilibrium and should not create paranoia.
Looking at the potential for theft and fraud and the actions available to prevent crime brings forth several conclusions:
· Most prevention efforts focus on building more accounting, access, or physical security controls.
· It is vital to recognize that there are limits to technological and procedural controls. Given the speed with which computer and data communications technology evolves and the complexity of modern systems, it is difficult for improvements in protection and detection mechanisms to keep pace.
· It is also important for companies to recognize that improvements in the working environment, including a positive ethical climate and strong interpersonal trust, help discourage criminal thinking and behavior and, as a result, are a part of the control environment. Some factors in the business environment are likely to encourage computer crime and others discourage it. Clearly, the need is to minimize the criminal behavioral motivators and maximize the non-criminal motivators.
Back to top
8.7.2 Factors that Encourage Computer Crime
The factors that enhance the probability that a company will be the target of theft, fraud, embezzlement, and corruption, including computer crime, can be either motivational (related to the corporate reward system and company policies) or personal (related to the character of a particular perpetrator).
The following are motivational factors that encourage computer crime:
· Inadequate rewards, including pay, fringe benefits, stock and stock options, bonuses, incentives, perquisites, job security, meaningful work, and promotional opportunities.
· Inadequate management controls, including failure to communicate expected standards of job performance or job-related behavior, ambiguity in work roles, relationships, responsibilities, and areas of accountability.
· Inadequate reinforcement and performance feedback mechanisms, including lack of recognition for good work, loyalty, longevity and effort; lack of meaningful recognition for outstanding performance; delayed or nonexistent feedback on performance inadequacies or unacceptable on-the-job behavior.
· Failure to offer counseling when performance or behavior falls below acceptable levels.
· Acceptance of mediocre performance as the standard.
· Inadequate support and lack of resources to meet standards by, for example, not providing authority to hire sufficient personnel to meet requirements for quality, quantity, and timeliness of work produced.
· Inadequate operational reviews, audits, inspections, and follow-throughs to ensure compliance with company policies, priorities, procedures, and government regulations.
· Condoning inappropriate ethical norms or inappropriate behavior. If potential perpetrators believe that the company will not report their activities to the police, but would rather handle the incident through a quiet resignation, the deterrent effect of a potentially long prison sentence disappears.
· Failure to control hostility generated by promotion or destructive competitiveness among departments, offices, or personnel.
· Failure to control bias or unfairness in selection, promotion, compensation, and appraisal.
· An uncertain future where a company faces merger, acquisition, or failure.
The following are common problems that can become personal motivations for computer crime:
· Inadequate standards of recruitment and selection
· Inadequate orientation and training on security matters and on sanctions for violating security rules
· Unresolved personal financial problems
· Unresolved problems relating to personal status
· Failure to verify prior employment history, educational qualifications, financial stability, and character before appointments to sensitive positions
· Inadequate control of the level of job-related stress and anxiety
· Inadequate employee communication programs to monitor and help relieve uncertainty and anxiety among employees
Back to top
8.7.3 Factors that Discourage Computer Crime
Computer crime can be discouraged through measures designed not only to prevent crime but also to detect attempts to engage in computer crimes. The recommended prevention measures are the following:
1. Internal accounting controls. These traditional measures to discourage crime are as important in an automated environment as in a manual-processing environment. They include the following:
o Separation and rotation of duties. As personnel change jobs, so must their access codes be changed to match their current job requirements.
o Periodic internal audits by trained, competent personnel, surprise inspections, and computer security reviews.
o Absolute insistence that control policies and procedures be documented in writing.
o Dual signature authorities, dollar authorization limits, expiration dates for signature authorizations, and check amount limits. These should be established and audited both routinely and by surprise.
o Offline controls and limits, including batch controls and hash totals.
o Feedback mechanisms to permit employees to report problems in security or control without fear of retribution.
2. Computer access controls. These controls may include the following:
o Authentication and identification controls, including keys or smartcards, passwords, biometrics, callback systems, one-time passwords, time- and day-constrained access, and periodic code and password changes.
o Compartmentalization, also known as need to know.
o Use of encryption to protect data while stored or in transit.
3. Firewalls. The use of firewalls and similar safeguards prevents unauthorized access through the Internet. Firewalls, however, are only effective when they are properly sited within the company network and when they are properly configured. A very small error in entering a firewall configuration file may result in the firewall not providing the security that users and management expect.
The measures to detect attempts to commit computer crime include the following:
1. A system of logging and follow-up of exceptions should be designed and implemented to log unusual activities; procedures should be in place to follow up on reported exceptions, such as the following:
· Transactions that are out of sequence, out of priority, or otherwise out-of-standard
· Aborted runs and entries, including repeated unsuccessful attempts to enter the system
· Attempts to access applications or functions beyond a person's authorization
2. Logging and following up on variances should be able to indicate a problem may have occurred or is occurring.
3. General logging should be in place because, when problems are uncovered, logs of access, Web activity, and other actions, may be vital evidence in tracking down the person involved. Logs should be maintained for at least a few months before being erased. Large log files can be filtered so high-risk transactions can be registered at a lower volume, thus permitting longer storage of the log.
4. Awareness of employee attitudes and satisfaction levels should be developed and maintained.
5. Sensitivity should be developed and maintained to reports that particular individuals are having problems, living beyond their means, or talking about "getting even" for perceived slights.
6. Newly developed intrusion detection systems should be used that have artificial intelligence capabilities to detect unusual transactions flowing through a system. These are evolving and have the prospect of being an order-of-magnitude improvement in crime detection technology. Several specialized companies can now help manage such systems and provide remote monitoring and response assistance 24/7. For many organizations, these third-party monitoring services can be a very cost-effective way of maintaining a constant watch on their systems.
Back to top
8.7.4 Security Countermeasures to Computer Crime
The focus of Chapter 4 of this Handbook is computer security in general. The focus of this section is the specific measures that are often used to prevent computer crimes by those either inside or outside an organization. While some measures are applicable to almost all situations, it is vital that each organization considers those controls that are appropriate to its particular circumstances.
Security Holes
One of the unpleasant realities of today's systems environment is that the systems used, including operating systems, firewalls, and security packages, as well as application systems, are not perfect when they are released by the manufacturers to their customers. Security problems are discovered regularly. Information about ways to exploit security holes is quickly reported worldwide by independent bulletin board systems, government-funded sites such as the U.S. Computer Emergency Response Team at Carnegie-Mellon University, private sector monitoring sites such as that of Internet Security Systems (ISS), and the software manufacturers themselves. Sometimes the problem and the ways to exploit it are reported before a repair patch can be developed. It has become absolutely vital, therefore, that every organization monitor these information sources to be certain that all relevant holes in security are understood and closed as soon as possible.
If the hole is not closed, and experience indicates that this is often the case, a company can continue to operate with known holes in its security. It is also vital that the internal auditors understand the importance of monitoring and closing software holes and that this is included in the review plan.
Not all updates recommended by vendors are critical security issues. Some are for efficiency, some are to provide new features, and some correct functionality problems. Each company must evaluate which updates are critical. A substantial cost is involved in constantly updating systems, and each update could introduce new problems.
It should also be noted that in addition to patches, there is a second, closely related issue called configuration. Unless the right selections are made in setting up software for use, security may be at a lower level than it ought to be. Improper configuration may result in security features being turned off or security warnings being ignored.
Computer Access Control
Controls that allow only authorized people access to sensitive systems include the following:
· Passwords. Use passwords that are long enough to be difficult to guess. Passwords should not be composed of simple words, names of relatives, and so on, and should be changed regularly. Some organizations have had good results by requiring every password to combine upper and lower case letters, numbers, and special characters.
· Compartmentalization. Restrict users to the specific files and programs they have a job-related need to access. This requires updates on an "as necessary" basis to conform access to the needs of people moving from assignment to assignment within the organization.
· Use of biometrics. Use fingerprints, iris recognition, hand geometry, and other new technologies for added measures of control.
· Use of one-time passwords. Use hardware or software that generates a new password for each access. This may be generated through the passage of time or using a calculator-like device to enter a randomly generated "challenge" number and get a response number that is then entered into the computer to validate identity.
· Automatic log off. Use this measure to prevent unauthorized access to the system when authorized users fail to log off.
· Time-day controls. Restrict personnel access to those times when they are supposed to be on duty. An extension of this concept for companies using automated time clock systems is to deny access and report a violation if access is attempted when an employee is not shown in the time clock system as being present.
· Dial-back systems. Use these systems when access is through a dial-up system. On accepting a user ID and password, the system hangs up and dials an established number at which the approved user is standing by. This is very helpful when a person works at a predictable location, for example, the home office of a telecommuting employee.
· MAC address controls. Where an employee is located at the end of a broadband connection, it may be possible to limit connectivity to your system only to those physical devices you have authorized. Every Ethernet adapter, for example, has what is called a Machine Address Control (or MAC) address unique to that adapter.
· Random personal information checks. Implement this means of identifying unauthorized log-in attempts. The system randomly transmits a question that only the authorized individual could answer and denies access unless the right answer is received. If several personal questions are on file, this technique can be very effective.
· Internet authentication. Use this control for telecommuting employees. With telecommuting on the rise, many companies are taking advantage of low-cost, high-bandwidth Internet connections such as asymmetric digital subscriber lines (DSL) and cable TV modems, which offer download speeds of up to 1.5MB per second and uploads of 400KB per second for nominal monthly charges, and include continuous access, twenty-four hours a day, seven days a week. The connection between a user's computer and a company server can be encrypted with simple tools like SSL (Secure Sockets Layer).
Back to top
8.7.5 Solutions
When investigating computer crimes, investigators and forensic accountants often discover what could have been done to prevent the crimes. The following are some of the most frequently found items. The organizations failed to:
· Have written policies and security rules for the use of computers and systems.
· Have temporary employees and independent contractors follow the same security rules as regular employees.
· Adjust access as people changed responsibilities internally.
· Keep up with and close security holes in applications, firewalls, and operating systems.
· Maintain virus protection on a fully updated basis.
Some of the suggestions to improve computer security include implementing the following:
· More effective policies for security over proprietary information
· Better interaction between the human resources department, the systems department, and corporate security functions
· Better internal accounting controls
· Better supervision of those with sensitive access to systems
· Better employee instruction in security issues
· Better computer audit software
· Better software security
· Better physical security in the workplace
Back to top