Advertise Here!Call +234 (0) 8035007778
Fighting Internal Crime before it Happens - the Enemy within
Information Technology (IT) becomes
a critical mission when business goals cannot be achieved without it's
continuous, effective ad efficient support e.g. when the enterprise
cannot exist without Information technology. The enterprise today has
grown increasingly dependent on Information technology infrastructure.
Most organizations today have installed computers of various sizes for processing data into information knowledge. Too much emphasis appears to have been placed on the technology and too little attention on the security of the valuable business wealth contained in the information being managed with Information Technology Department.
This is perhaps the worst risk facing business today because security awareness among the non-computer professional is very low. To ensure that organization's information technology and business systems are adequately controlled, monitors and assessed, there is need for establishment of and compliance with appropriate standards, procedures and controls of information system security.
Information Technology Department
perform a valuable services, often put in a long hours effort to improve
the system performance. Management who have other pressures and probably
do not share their all-consuming interest in Information Technology
matters are usually inclined to leave them to their work with minimum
supervision. In some
organizations the management often feel that, since it is not their area
of expertise, there is no need for supervising or restricting the
activities of the Information Technology specialist. Unfortunately there are major risks with this approach.
Whistling in the dark
The question is "How would you know if he/she sabotaged or manipulated computer systems out of a desire to make an illicit profit, or from sheer malevolence.
System security officers who wishes to address security of the system effectively must be aware that their management may only have a limited view of their problems. In some cases, carefully constructed security standards and procedures are dismissed with a wave of hand or with a comment such as "' I have no time to go into that" thereby putting the system security officer or officers at loggerhead with Information Technology Department staff. Most organization demonstrates a "whistling in the dark mentality" i.e. Management will not do anything until and unless something goes wrong.
Complete lack of management
commitment in many cases has rendered an expensive security initiative
ineffective. Therefore it is essential to educate management away from
Internet or (WAN) Wide Area Network exposes the organization to several risks. Some of the risk however is inherent in the organization itself. And not necessarily on the Internet or external network. The internet utilizes a public network as a transaction medium. As a result the organization and whatever systems they are using are hereby exposed to the risks of unauthorized access and hacker attacks. Service disruptions and spurious transactions may follow.
Even if you have just built the most effective access control system or installing a firewall is not enough for you to relax because even the tightest access controls can not keep your organization's critical systems secure without effective review and analysis of security events. To catch intruders or identify internal risks, you need to collect and analyze and analyze audit trail on regular basis. That means a lot of data and a lot of analysis.
The enemy within
Some of the most crippling crimes against an enterprise are committed by the organization's own employees. This is why control over the IT experts and users who use it is critical. Uncontrolled systems development will automatically produce systems, which are uncontrollable. Bugs and other accidental errors will proliferate while these systems become fertile breeding ground for attempts at fraud. i.e. Data Didlling, Trojan horse, salami technique, virus, rounding down, logic bomb , etc.
Anyone can make a mistake and the consequences of these must be contained by effective security controls. More worrying and increasingly frequent are malicious acts of sabotage or fraud. Sabotage or frauds are more likely to occur if the chances of detection are very low. Carefully constructed, comprehensive security policies, standard and procedures will reduce the opportunity to commit crime and increase the possibility of detection.
The types of damage a criminal
employee may inflict are as varied as the employees themselves. Very few
operate out of revenge, but greed is much more common motivator. A
dishonest employee see his/her employer as an easy source of funds and
be convinced that since he/she is stealing from an organization rather
than individual, no one is getting hurt. These crimes are generally motivated by greed and are common in
our financial institutions. However, the chances of detecting some of
these atrocities are minimal hence they are not reported.
The scams perpetrated by computer fraud
offenders are elusive, creative, complex and sometimes include a
thorough knowledge of IT and business processes. Most users interact
with the computer system only through the application software. The application software enables and also limits the action that
a user can do. The first
thing the system auditor or security administrator needs to know is what
does the application software do and what activity does it perform.
After this, it is necessary to identify the potential risks associated
with the business function served by the application i.e. (what can go
wrong) and see how thee risks are handle by the software (what controls
For application review, the system auditor or
security administrator's knowledge of the intricacies of the business
is important as well as the technical knowledge. In the application environment, restricting and monitoring of
users activities can be automatically logged by the computer and
reported. Fraud in this environment can be easily detected and checked
by setting the parameters correctly.
In the batch-processing environment, restricting
and monitoring ordinary user with different profiles can automatically
logged by the application and reported. In online systems, the avenues of access are more complex.
The method to be adopted incase of super users
i.e. Information Technology staff should be different since they have
access to the Operating system, the Relational database environment and
the application. They can
be allowed to login to the application just like every other user once
the access to the application requires two authentication methods.
The Information Technology Department
The organization of Operations unit or systems
unit of Information Technology Department should allow for proper
division of duties to ensure that the potential for unauthorized
operation and fraud is minimized. The system log should be analyzed to
provide the management with detailed information on all normal and
abnormal occurrences during each processing period. The availability of
the log is extremely valuable. Effective
security demands that this happens and that evidence of their resulting
activities is documented.
The white-collar criminal investigative
capabilities of law enforcement organizations in this part of the world
are very low. Businesses suffer threats to their security from many
different types of attacks. Hackers
exploiting weakness in defenses, employees exploiting their trusted
status and brute force attacks on password all must be guarded against.
Computer fraud in my own opinion simply means frauds committed using the computers as an accomplice by manipulating programs and data files. It is necessary to identify the correct mix of deterrent, preventive and corrective controls, which needs to be applied in each installation. The objective of security in this area is to optimize productive computer time, lessen the risk of error and fraud, eliminate unauthorized work and secure the confidentiality of information.
In some organizations, IT Dept
staff still log on to the system using root
user-id and passwords. This
system of operation should be discouraged because even operators in the
most efficient installations occasionally make mistakes.
Root is a very powerful user; any manager or root user who carelessly uses
its privileges can accidentally destroy an entire operational file
system. As root, the super user special system privileges include
complete access to any file or directory as well as the privilege to do
1. Override all file mode permissions
2. Bypass all normal security checks
3. kill any existing processes and even
4. shutdown the system.
With the above permissions, you can
go to the relational database environment and amend the programs or file
without being noticed or detected. This act is called data didlling.
Internal accounts balances can be manipulated, statement entries amount
can also be changed, account activity files can also be amended,
individual account balances can be manipulated and even the consolidated
account balances can also be manipulated.
In a situation where the above
manipulation is amateurishly done, this will result in an untraceable
difference in general ledger or balance sheet. These differences however
do not prevent the culprit from withdrawing the fraudulent and inflated
amount across the counter with a smile or a "Thanks you are welcome"
comment from the unsuspecting paying cashier or teller.
The entire of process of the data
didlling will take the culprit less than five minutes if he/she is
familiar with the commands of the relational database environment.
How do we adequately and
effectively control the use of the
root user-id and password to prevent abuse and misuse as well as
monitoring the activities of a root user-id or super user on the system?
First, The management should
adequately empower the security administration function personnel to
monitor compliance with report exceptions and enforce strict adherence
to laid down policies and standards.
The security administrator should
like a thief by considering the followings:
1. Where are the weakest links?
2. How can the process be attacked without drawing attention to
3. How can the evidence be destroyed or hidden?
4. Can auditor, for example be misled or distracted during a
Based on the above scenarios, the
following steps should be taken
1. IT Dept staff are to use their individual profiles with
assigned super user privileges (if
need be) to foster transparency and individual accountability by
creating logs for all access to operating systems, relational database
environment and actively monitored by the security administrator.
2. Restriction of root user-id to console
3. Injunction forbidding development activities on live
4. Ability to track and monitor the usage of remote execution
commands to ensure they are not used for fraudulent motives.
5. Usage of ‘FTP' (File Transfer Protocol) facilities should also be monitored and
parametised to forestall any unpleasant consequences.
The computer is the network, the
desktop or PC may look like a single user system, but the true power of
computer comes from the myriad systems to which it is connected.
Information is now one of the most
important assets an organization can own and one of the toughest to
secure. Human resources are also important because no matter how big an
organization, the people have always represented the heart and soul of
an organization's success. Anyone
involved in the security knows that people are also the biggest threat.
The only secure network is the one
with no users at all.
Mukaila Apata is a System Auditor and Security Administrator with over 18years
of experience in banking systems, programming and system analysis. In addition
to his System Audit expertise, he has a strong background in Unix, Relational
database management software and Globus banking software. This is the summary of the paper he delivered at the International Conference on Computer Security and Cybercrime in Africa held on March 28-30, 2006 in Lagos, Nigeria
Link to this Content/Resource
We appreciate you notifying other webmasters about our Content and Resources. You can even link directly to this content article!
For instance. If you like this resource or any of our resources, please add a
link to our website using the following HTML code:
<a href="http://www.jidaw.com/security/aisa/internal.html">Fighting Internal Computer Fraud</a><br>
Information Security Strategy
MORE ..Attend the next FREE IT Career Seminar.. and Get IT Career Tips and Insights:
More Information Security Resources
What Do you Have to Say? Post Your Comments about this Content Resource Here.
September 23, 2006
Jay from Ikeja, Lagos says:
Are the banks listening? How well protected are their ICT systems? CBN must take information security audit seriously. Or are they waiting for EFCC?
DISRUPT THE STATUS QUO!
Ideas are not enough. You must be action oriented to improve your future.
Don't just think but act. You get results not only from thinking but from acting.
You have ideas. You want to achieve. You want opportunity.
But what are you still doing in your comfort zone? The comfort zone is a dangerous place.
"I wanted to", "I was going to" cannot put on a light bulb, not to talk of moving you forward.
Aren't you tired of hoping and criticizing? Stop defending status quo that locks you down.
GO on the offensive now with IT Education and Empowerment.
What is the use of ideas without action?
Start becoming the achiever you deserve to be.
MAKE SURE THERE IS NO STANDING ROOM FOR EXCUSES.