DATA SECURITY
THREATS AND HAZARDS TO DATA
The following are among the threats to data security:
1 . Data may get lost or damaged during a system crash – especially one
affecting the hard disk
2. It can be corrupted as a result of faulty disks, disk drives, or power failures
3. It can be lost by accidentally deleting or overwriting files
4. It can be lost or become corrupted by computer viruses
5. It can be hacked into by unauthorized users and deleted or altered
6. It can be destroyed by natural disasters, acts of terrorism, or war
7. It can be deleted or altered by employees wishing to make money or take
revenge on their employer
METHODS OF SECURING DATA
Data security refers to protecting data from destructive forces and unwanted
actions of unauthorized users. Data needs to be protected from loss through
accidental or malicious deletion, virus attacks hard disk or system failures,
unauthorized access etc. Methods of protecting data include:
i) Use of passwords (Access Authentication): A password is a
secret word or string of characters that is used for user
authentication/verification before the user can gain access to data.
The password should be kept secret from those not allowed access.
Passwords are used together with usernames by users in a log-in
process that controls access to protected system data.
ii) Right of Access refers to the authorization you have to access
different data files. Right of access helps determines who has the right
to do what in relation to certain data or information. For example,
database administrators may be able to remove, edit and add data
while a general user may not have the right to do the same. Right of
access in an organization is usually given/ specified by the system or
database administrators.
iii) Logs and Audit trails: An audit trail is a record showing who has
accessed a computer system, when and what operations he or she has
performed during a given period of time. An audit trail can also
maintain a record of activity by the system itself. Audit trails are useful
both for maintaining data security and for recovering lost transactions.
iv) Anti-virus programs are software used to prevent, detect and
remove malicious software such as viruses which can interfere with or
lead to the loss of data stored on a computer. A virus or a malware in
general is software used or programmed by attackers to disrupt
computer operations or gain access to private computer systems in
order to steal or destroy sensitive information of personal, financial or
business importance. Examples of anti-virus software include Norton,
AVG, Kaspersky etc.
v) Encryption: This is the process of encoding (convert into a coded
form) information stored on a device especially where the data is
stored on a portable device or transmitted over a public network. The
key to decrypt the data should be kept securely.
vi) Firewalls: A firewall is a software or hardware-based network security
system that prevents unauthorized access to or from a private network.
Such a system is very important where there is any external
connectivity, either to other networks or to the internet.
vii) Physical Security: This includes locking of offices and use of alarms,
keeping computers or database servers in strong-rooms, use of
security cameras and employing security guards where necessary.
viii) Data Protection Act
This refers to an Act of Parliament enacted to regulate the collection,
processing, storage/keeping, use and misuse and disclosure of
information relating to individuals that is processed automatically. The
Act created a Commission-Freedom of Information Commission of
Kenya-with the mandate of ensuring the implementation of the Act, to
receive complaints regarding violations of the Act, institute legal
proceedings and settlement concerning such violations. The Act,
however, only applies to personal information held by public authorities
and excludes private bodies.
ix) Data Back-up refers to the copying and archiving of computer data
in a secure location so that it may be used to restore the original data
after a data loss event occasioned by either accidental or malicious
deletion, system failure, virus attack, data corruption or natural
disasters.
Methods of Data Back-up
i) Disk Mirroring/ RAID A technique in which data is written to two
duplicate disks concurrently to ensure continuous availability. This
means installing two disk drives and an equal number of drive
controllers such that when the computer writes data on one drive, it
automatically writes that data to the other drives and therefore offers
synchronized copies on several drives. If one drive fails, the system
swaps the failed drive for a new one, ensuring continuity. The problem
with mirroring is that if a deletion occurs in one disk, the same will be
deleted in the mirror back-up. The disks can be installed on the same
machine or over long distance.
ii) Disk Copy copies the contents of a disk in the source drive to a disk in
the destination drive or to an image file. Disk copy works only with
removable disks. Disk copy or imaging has a disadvantage in that it
takes a lot of time to do because the image is usually very big.
iii) Remote/Online data back-up: some companies offer services for
online data storage also known as cloud services. The main advantage
to this method is that since the data is not in your physical location, if
there is a natural disaster, your data will be safe. The data is also
encrypted and so kept very safe.
HARDWARE SAFETY
Hardware safety protects the machine and peripheral hardware from theft and
from electronic intrusion and damage. Hardware safety can be ensured through:
a) Safety Against Theft
Computers are very valuable and relatively portable they and can easily be stolen
which would be made worse by the loss of the valuable data stored on them.
Physical safety should be put in place such as locking the rooms, installing alarm
systems and Closed Circuit Television Cameras (CCTV) where they are kept to
prevent theft. The computers can also be bolted to benches or cabinets in order
to make theft difficult.
b) Protection from Power Interruptions
The power delivered to computers should be stable and constant but sometimes
fluctuations in power supply occur. For example, voltage surges and spikes, a
blackout or brownout can cause a computer to shut down abruptly. Information
that is stored only in short-term memory will be lost. As well, the fluctuation can
physically damage computer components such as the power supply unit.
Computer systems can be protected from such interruptions through:
i) Use of uninterruptible Power Supply (UPS)
A UPS is a device that allows a computer to keep running for at least a
short time after the primary power source is lost. The device also provides
protection against power surges and drops.
ii) Use of power surge protectors/suppressors
A surge protector or suppressor is an appliance designed to protect electrical
devices from voltage spikes caused by events like lightning strikes and short
circuits. Voltage spikes might damage a computer’s electronic parts, melting
plastic and metal parts or even corrupting the data stored on the computer.
Surge protectors limit the voltage supplied to a device by either blocking the
unwanted voltages or by shorting the voltages to ground.
c) Environmental Safety
Computers also require the right balance of physical and environmental
conditions to operate properly. Measures should be put in place to protect
computers from fire, smoke, dust, excessive temperatures, high levels of
humidity and electrical noise such as from motors. Such measures include
installation of climate control systems and dehumidifiers, fire fighting systems
etc.
d) Other physical measures include the disabling of USB ports or CD ROM Drives,
installation of drive locks and case intrusion detection. This will help in
protecting against unauthorized copying and transfer of data as well as
preventing infection of the computer with viruses through portable storage
devices such as pen drives.
SOFTWARE SAFETY
Logical/Software Safety consists of software safeguards for a system,
including user identification mechanisms and safety software. These
measures ensure that only authorized users are able to perform actions or
access information in a network or a workstation.
Elements of logical safety include:
a) Biometric authentication
Biometric authentication is the use of a user’s physiological features to confirm
their identity before they are allowed access to a computer system. These
features include software that verify user identification through fingerprints, eye
retinas and irises, voice patterns, facial bone structure etc.
b) Token authentication
Token authentication comprises safety tokens which are small devices that
authorized users of computer systems or networks carry to assist in identifying
them as they log into the system. They include smart cards or small USB drives
with built-in code generators and are inserted to the computer through USB ports.
c) Password authentication
This method uses secret data e.g. strings of character to control access to a
system and is normally used together with usernames. The passwords are either
created by the user or assigned by system administrators. Usually, limitations to
password creation include length restrictions, a requirement of number
characters, uppercase letters or special characters. The system may also force a
user to change their passwords after a given amount of time.
d) Access Rights
e) Audit Trails
f) Use of Safety Software
Safety software refers to any computer program whose purpose is to
help secure a computer system or a computer network. Types of
safety software include Antivirus software, Anti-key loggers, Anti-Spam
software, Firewall systems etc
These software systems protect computers and the data they hold
from various threats. The threats include, among others, industrial
espionage, loss of data to hackers (people who exploit weaknesses in
a computer system to gain access and motivated by reasons like
profit/theft of data, protest or challenge) and attacks from malicious
code such as:
o viruses
A virus is a malicious program that replicates itself and spreads
from one computer to another. They attach themselves to existing
programs in order to spread. Viruses almost always corrupt or
modify files on a targeted computer.
o Trojan horses
This is a type of malware (malicious software) that gains privileged
access to a computer system while appearing to perform a
desirable function but instead installs a malicious code that allows
unauthorized access to the target computer. They usually come as
free software offers in some websites which users download and
install on their machines.
Trojans do not self-replicate. Distribution channels include e-mail,
malicious or hacked Web pages, Internet Relay Chat (IRC), peer-topeer networks etc.
o Worms
Worms are malware that spread themselves to other computers
using computer networks and do not need to attach themselves to
existing software. They harm networks by consuming bandwidth
(by increasing network traffic etc) but do not attempt to change the
systems they pass through.
o Rootkits
A rootkit is a type of malicious software that is activated each time
your system boots up. Rootkits are difficult to detect because they
are activated before the Operating System has completely booted
up. A rootkit often allows the installation of hidden files, processes,
hidden user accounts, and more in the systems OS. They are also
able to intercept data from terminals, network connections, and the
keyboard.
o Keyloggers
This is a type of malware that records (or logs) the keys struck on a
keyboard, usually in a covert manner so that the person using the
keyboard is unaware that their actions are being monitored and
then the information is transmitted to the originators.
Anti-virus software include Norton, AVG, Kaspersky, MacAfee, Avast etc. These
software programs are meant to prevent, detect and remove malicious software
from computer systems.
The software come with a database of all known or identified malware against
which they protect the systems they are installed on. The databases and the
software themselves need to be updated regularly to ensure continued protection
for the system. Once installed on a machine, the anti-virus software always runs
in the background watching out for suspicious activity that could be initiated by a
virus and if it makes detection, it warns the computer user and provides a
solution to the threat.
A virus scan involves the examining of the content of the computer’s memory
(RAM and boot sectors) and the files stored on fixed and removable drives and
comparing those files against the database of known viruses.
Anti-virus software should be registered in order to be used even if they are
offered free of charge. Software registration is a means of providing the EndUser with a license from the developer which makes the use of the software legal.
It also makes it possible for the End-User to update the software for continued
protection.
Firewalls
A firewall is software or hardware-based network safety system that controls the
incoming and outgoing network traffic by analyzing the data packets and
determining whether they should be allowed through or not, based on set rules.
COMPUTER CRIMES
Breaches of Physical Security
Dumpster Diving
Dumpster diving, or trashing, is a name given to a very simple type of security
attack-scavenging through materials that have been thrown away, as shown in.
This type of attack isn’t illegal in any obvious way. If papers are thrown away,
nobody wants them–right? Dumpster diving also isn’t unique to computer
facilities. All kinds of sensitive information turns up in the trash, and industrial
spies through the years have used this method to get information about their
competitors.
Around the offices and in the trash, crackers can find used disks and tapes,
discarded printouts, and handwritten notes of all kinds. They may also retrieve
printouts, computer manuals, and other documents from which they extract
information needed to crack the system. In the system itself are files that have
been deleted, but that haven’t actually been erased from the system. Computers
Wiretapping
There are a number of ways that physical methods can breach networks and
communications. Criminals sometimes use wiretapping methods to eavesdrop
on communications.
Eavesdropping on Emanations
Computer equipment, like every other type of electrical equipment from
hairdryers to stereos, emits electromagnetic impulses. Whenever you strike a
computer key, an electronic impulse is sent into the immediate area. Foreign
intelligence services, commercial enterprises, and sometimes even teenage
crackers may take advantage of these electronic emanations by monitoring,
intercepting, and decoding them.
Because of the emanation threat, government computers that are used to store
and process classified information require special physical shielding.
Denial or Degradation of Service
In security terms, availability means that the computer facility, the computer
itself, and the software and data users need are all working and available for use.
Someone who shuts down service or slows it to a snail’s pace is committing an
offense known as denial of service or degradation of service. There are many
ways to disrupt service, including such physical means as arson or explosions;
shutting off power, air conditioning, or water (needed by air conditioning
systems); or performing various kinds of electromagnetic disturbances.
Turning off power or sending messages to system software telling it to stop
processing are examples of the first type of attack–a classic denial of service.
The other type of attack, known as flooding (or sometimes wedging or
spamming) is the type employed by the Internet worm. As the worm spread
across systems and networks, it kept creating new processes that so clogged
the affected systems that other work couldn’t get done.
Breaches of Personnel Security
Masquerading
Masquerading occurs when one person uses the identity of another to gain
access to a computer. This may be done in person or remotely. There are both
physical and electronic forms of masquerading. In person, a criminal may use an
authorized user’s identity or access card to get into restricted areas where he will
have access to computers and data. This may be as simple as signing someone
else’s name to a sign-in sheet at the door of a building. It may be as complex as
playing back a voice recording of someone else to gain entry via a voice
recognition system.
A related attack, sometimes called piggybacking, involves following an
authorized person into a restricted area–a building or a computer room.
People are very likely to pick passwords that can be easily guessed by intruders
or can be cracked by password cracking or dictionary programs. They pick the
names of their spouses, children, or pets, their birthdates or license plates or
astrological signs, or the names of sports teams or fictional characters.
Harassment
A particularly nasty kind of personnel breach we’ve seen lately is harassment on
the Internet. Sending threatening email messages and slandering people on
bulletin board systems and newsgroups is all too common.
These kinds of attacks are not new, and personally threatening remarks can as
easily be sent by letter or posted on a wall, as they can be sent over the Internet.
But the electronic audience is a much larger one, and such messages, sent out
from an organization’s network domain, may damage the reputation of the
organization as well as that of the particular perpetrator.
Software Piracy
Software piracy is an issue that spans the category boundaries and may be
enforced in some organizations and not in others. Pirated computer programs
are big business. Copying and selling off-the-shelf application programs in
violation of the copyrights costs software vendors many millions of dollars. The
problem is an international one, reaching epidemic proportions in some countries.
Employees need to be educated about the legalities, ethics, and company
policies relating to software piracy and other forms of unauthorized copying of
information. Some breaches really come down to policy and policy enforcement.
What might be considered a crime in some organizations might be a minor
infraction, or even legitimate, in another. For example, does an organization allow
employees to carry sensitive data outside the office? Can the employee use
company software and databases from a home computer?
Breaches of Communications and Data Security
In this category attacks include those on computer software and on the data
itself. The other categories discussed above are more focused on physical
equipment, people, and procedures.
Data Attacks
There are many types of attacks on the confidentiality, integrity, and availability
of data. Confidentiality keeps data secret from those not authorized to see it.
Integrity keeps data safe from modification by those not authorized to change it.
Availability, as we discussed under “Denial or Degradation of Service” above,
keeps data available for use.
The theft, or unauthorized copying, of confidential data is an obvious attack that
falls into this category. Espionage agents steal national defense information.
Industrial spies steal their competitors’ product information. Crackers steal
passwords or other kinds of information on breaking into systems.
Two terms you’ll hear in the context of data attacks are inference and leakage.
With inference, a user legitimately views a number of small pieces of data, but by
putting those small pieces together is able to deduce some piece of non-obvious
and secret data. With leakage, a user gains access to a flow of data via an
unauthorized access route (e.g., through eavesdropping).
Unauthorized Copying of Data
Preventing and detecting this type of attack requires coordinated policies among
the different categories of computer security. In terms of personnel security, user
education is vital. In terms of operations security, automated logging and
auditing software can play a part as well.
Traffic Analysis
Sometimes, the attacks on data might not be so obvious. Even data that appears
quite ordinary may be valuable to a foreign or industrial spy. For example, travel
itineraries for generals and other dignitaries help terrorists plan attacks against
their victims.
Accounts payable files tell outsiders what an organization has been purchasing
and suggest what its future plans for expansion may be. Even the fact that two
people are communicating–never mind what they are saying to each other–may
give away a secret. Traffic analysis is the name given to this type of analysis of
communications.
Software Attacks
Trap Doors
One classic software attack is the trap door or back door. A trap door is a quick
way into a program; it allows program developers to bypass all of the security
built into the program now or in the future.
To a programmer, trap doors make sense. If a programmer needs to modify the
program sometime in the future, he can use the trap door instead of having to go
through all of the normal, customer-directed protocols just to make the change.
Trap doors of course should be closed or eliminated in the final version of the
program after all testing is complete, but, intentionally or unintentionally, some
are left in place. Other trap doors may be introduced by error and only later
discovered by crackers who are roaming around, looking for a way into system
programs and files. Typical trap doors use such system features as debugging
tools, program exits that transfer control to privileged areas of memory,
undocumented application calls and parameters, and many others.
Tunneling
Technically sophisticated tunneling attacks fall into this category as well.
Tunneling uses one data transfer method to carry data for another method.
Tunneling is an often legitimate way to transfer data over incompatible networks,
but it is illegitimate when it is used to carry unauthorized data in legitimate data
packets.
Trojan Horses
A Trojan horse is a method for inserting instructions in a program so that
program performs an unauthorized function while apparently performing a useful
one. Trojan horses are a common technique for planting other problems in
computers, including viruses, worms, logic bombs, and salami attacks (more
about these later). Trojan horses are a commonly used method for committing
computer-based fraud and are very hard to detect.
Botnets
A botnet is a network of hijacked home computers, typically controlled by a
criminal gang. A bot refers to one of the individual computers in a botnet. Bots
are also called drones or zombies.
Ransomware
Malware which once in control demands a fee to unlock the computer.
Viruses and Worms
In a computer, a virus is a program which modifies other programs so they
replicate the virus. In other words, the healthy living cell becomes the original
program, and the virus affects the way the program operates. It inserts a copy of
itself in the code. Thus, when the program runs, it makes a copy of the virus. This
happens only on a single system. (Viruses don’t infect networks in the way
worms do, as we’ll explain below.) However, if a virus infects a program which is
copied to a disk and transferred to another computer, it could also infect
programs on that computer. This is how a computer virus spreads.
Unlike a virus, a worm is a standalone program in its own right. It exists
independently of any other programs. To run, it does not need other programs. A
worm simply replicates itself on one computer and tries to infect other
computers that may be attached to the same network.
A worm operates over a network, but in order to infect a machine, a virus must be
physically copied.
Salamis
The Trojan horse is also a technique for creating an automated form of computer
abuse called the salami attack, which works on financial data. This technique
causes small amounts of assets to be removed from a larger pool. The stolen
assets are removed one slice at a time (hence the name salami). Usually, the
amount stolen each time is so small that the victim of the salami fraud never
even notices.
A clever thief can use a Trojan horse to hide a salami program that puts all of the
rounded off values into his account. A tiny percentage of pennies may not sound
like much until you add up thousands of accounts, month after month.
Logic Bombs
Logic bombs may also find their way into computer systems by way of Trojan
horses. A typical logic bomb tells the computer to execute a set of instructions at
a certain date and time or under certain specified conditions. The instructions
may tell the computer to display a message on the screen, or it may tell the entire
system to start erasing itself. Logic bombs often work in tandem with viruses.
Whereas a simple virus infects a program and then replicates when the program
starts to run, the logic bomb does not replicate – it merely waits for some prespecified event or time to do its damage.
Some bombs do their damage after a particular program is run a certain number
of times. Trojan horses present a major threat to computer systems, not just
because of the damage they themselves can do, but because they provide a
technique to facilitate more devastating crimes.
Breaches of Operations Security
Because operations security includes the setting up of procedures to prevent and
detect all type of attacks on systems and personnel. Here are a few special kinds
of breaches of operations security.
Data Diddling
Data diddling, sometimes called false data entry, involves modifying data before
or after it is entered into the computer. Consider situations in which employees
are able to falsify time cards before the data contained on the cards is entered
into the computer for payroll computation.
IP Spoofing
A method of masquerading that are in use in various Internet attacks today is
known as IP spoofing (IP stands for Internet Protocol, one of the
communications protocols that underlies the Internet). Certain UNIX programs
grant access based on IP addresses; essentially, the system running the program
is authenticated, rather than the individual user. The attacker forges the
addresses on the data packets he sends so they look as if they came from inside
a network on which systems trust each other. Because the attacker’s system
looks like an inside system, he is never asked for a password or any other type of
authentication.
Password Sniffing
Password sniffers are able to monitor all traffic on areas of a network. Crackers
have installed them on networks used by systems that they especially want to
penetrate, like telephone systems and network providers. Password sniffers are
programs that simply collect the first 1 28 or more bytes of each network
connection on the network that’s being monitored. When a user types in a user
name and a password–as required when using certain common Internet services
like FTP (which is used to transfer files from one machine to another) or Telnet
(which lets the user log in remotely to another machine)–the sniffer collects that
information. Additional programs sift through the collected information, pull out
the important pieces (e.g., the user names and passwords), and cover up the
existence of the sniffers in an automated way. Best estimates are that in 1 994 as
many as 1 00,000 sites were affected by sniffer attacks.
Excess Privileges
If a cracker breaks into one user’s account, he can compromise and damage that
user’s files, but he can’t ordinarily get beyond the boundaries of the user’s
account to damage the rest of the system. Too often, users in a system have
excess privileges–more privileges than they ought to have. An ordinary user on
an ordinary system doesn’t need to be able to modify all of the files on that
system. And yet, in many systems, a user has the system privileges that entitle
him to do just that. The user may never actually want to change anyone else’s
files–he may not even know that he is allowed to–but nevertheless the privileges
are there. If an intruder gets access to the system through the user’s account, he
can exploit this weakness.
Ways of Detecting Common Attacks
This section provides a quick summary of how you might be able to anticipate or
detect the most common types of attacks we’ve discussed in this chapter.
This section briefly summarizes:
Potential offenders–what type of individual (e.g., a programmer, a
spy) might commit a crime of this type.
Methods of detection–how such crimes are found out (e.g., tracing
equipment of various kinds, analyzing log files).
Evidence–trails that might be left by the intruders and that might
help in detection (e.g., system logs, telephone company records).
Dumpster Diving
Potential Offenders
System users.
Anyone able to access the trash area.
Anyone who has access to computer areas or areas used to store
backups.
Methods of Detection
Tracing proprietary information back to its source (e.g., memos
with company names or logos).
Observation (guards may actually see intruders in action).
Testing an operating system to discover data left over after job
execution.
Evidence
Computer output media (e.g., may contain vendor name or
identifying page numbers).
Similar information produced in suspected ways in the same form.
Characteristics of printout or other media (e.g., type fonts or logos).
Wiretapping and Eavesdropping
Potential Offenders
Communications technicians and engineers.
Agents for competitors.
Communications employees, former employees, vendors, and
contractors.
Agents for foreign intelligence services.
Methods of Detection
Voice wiretapping methods.
Tracing where the equipment used in the crime came from (e.g.,
monitoring equipment).
Tracing computer output (e.g., disks and tapes) to their source.
Observation.
Discovery of stolen information.
Evidence
Voice wiretapping as evidence.
Computer output forms.
Computer audit logs.
Computer storage media.
Characteristics of printout or other media (e.g., type fonts or logos).
Manual after-hours signin/signout sheets.
Masquerading
Potential Offenders
Potentially everyone.
Methods of Detection
Analysis of audit logs and journals (e.g., a log shows that an
authorized user apparently logged in, but it is known that the person
was away at that time).
Observation (e.g., an eyewitness saw an intruder at an authorized
user’s terminal).
Password violations (e.g., a log shows repeated failed attempts to
use an invalid password).
Report by the person who has been impersonated (e.g., the
authorized person logs in, and the system tells him that he has had
six unsuccessful logins since the last time he knows he actually
logged in).
Evidence
Backups.
System audit logs.
Telephone company records (pen register and dialed number
recorder (DNR) records).
Violation reports from access control packages.
Notes and documents found in the possession of suspects.
Witnesses.
Excessively large phone bills (excessive message units may
indicate that someone is using resources).
Software Piracy
Potential Offenders
Purchasers and users of commercial software.
Software pirates.
Employees who steal proprietary software.
Methods of Detection
Observation.
Testimony of legitimate purchasers of software.
Search of users’ facilities and computers.
Evidence
Pictures of computer screens where pirated software is being
executed.
The contents of memory in computers containing pirated software.
Copies of media on which pirated software is found.
Printouts produced by pirated software.
Trap Doors
Potential Offenders
Systems programmers.
Applications programmers.
Methods of Detection
Exhaustive testing.
Specific testing based on evidence.
Comparison of specifications to performance.
Evidence
Programs that perform tasks not specified for them.
Output reports that indicate that programs are performing tasks not
specified for them.
Timing Attacks
Potential Offenders
Advanced system analysts.
Advanced computer programmers.
Methods of Detection
System testing of suspected attack methods.
Complaints from system users that their jobs are not being
performed efficiently.
Repeat execution of a job under normal and safe conditions.
Evidence
Output that deviates from normally expected output of logs.
Computer operations logs.
Trojan Horses, Viruses, Worms, Salamis, and Logic Bombs
Potential Offenders
Programmers who have detailed knowledge of a program.
Employees or former employees.
Vendor or contractor programmers.
Financial system programmers.
Computer users.
Computer operators.
Crackers.
Methods of Detection
Comparison of program code with backup copies of the program.
Tracing of unexpected events of possible gain from the act to
suspected perpetrators.
Detailed data analysis, including analysis of program code (e.g., you
may detect a virus because a file increases in size when it is
modified or because disk space decreases).
Observation of financial activities of possible suspects (especially
for salami attacks).
Testing of suspect programs.
Examination of computer audit logs for suspicious programs or
pertinent entries (e.g., log entries that show that many programs
were updated at the same time) (especially for viruses).
Transaction audits.
Evidence
Output reports.
Unexpected results of running programs.
Computer usage and file request journals.
Undocumented transactions.
Analysis test program results.
Audit logs.
Data Diddling
Potential Offenders
Participants in transactions being entered or updated.
Suppliers of source data.
Preparers of data.
Nonparticipants with access.
Methods of Detection
Comparison of data.
Manual controls.
Analysis of computer validation reports.
Integrity tests.
Validation of documents.
Analysis of audit logs.
Analysis of computer output.
Evidence
Data documents for source data, transactions, etc.
Manual logs, audit logs, journals, etc.
Backups and other computer media (e.g., tapes and disks).
Incorrect computer output control violation alarms.
Scanning
Potential Offenders
Malicious intruders.
Spies attempting to access systems for targeted data.
Criminals intent on committing fraud.
Methods of Detection
Computer logs that show when telephone calls were received by
the computer and when attempts were made.
Loss of data or transfer of funds or other assets.
Telephone company records.
Evidence
Telephone company records (pen register and dialed number
recorder (DNR) records).
Possession of war dialing programs.
Computer logs.
Possession of information compromised as a result of scanning,
including lists of telephone numbers.
Excess Privileges
Potential Offenders
Programmers with access to Superzap-type programs.
Computer operations staff.
Methods of Detection
Comparison of files with historical copies.
Examination of computer usage logs.
Discrepancies noted by those who receive reports.
Evidence
Discrepancies in output reports.
Computer usage and file request journals.
Undocumented transactions.
