Nature of Crimes
Crimes of the Future
The FBI conducted a national study of corporate security directors to explore the environment of computer crime and identify some critical issues facing policy makers in the future. The creation of computer crime units in the Secret Service, Air Force Office of Special Investigations, FBI, and a small number of state and local agencies shows that law enforcement agencies are beginning to recognize the significance of computer crime. However, many people involved in computer security issues feel the weakest link is the lack of education in law enforcement relating to computer-technology crimes. The law enforcement community has devoted itself to the high priority violent crimes, lumping computer crimes into a low priority status, yet the losses to computer crime could fund a small country [Carter 96]
Some security professional believe that most cases of browsing are simply curiosity or "cybervoyeurism" with no malicious intent. They believe that most hackers are interested in the challenge of breaking into a computer system rather than in committing a theft. Despite some individual experiences, research indicates otherwise. There were significant relationships between browsing by full-and part-time employees and their attempts to steal both intellectual property and money. While not as strong overall, a significant relationship between browsing and the theft of intellectual property, but not money, also exists. With the growth of networking, a similar analysis in the next two years or so might find different results. In the case of stealing intellectual property, browsing apparently served as a means to identify the nature of available information, its potential value, and the ability to steal the data. In the case of money, browsers most likely sought to learn the computer system's file structure, determine transaction protocols, locate accounts most susceptible to theft with a lower probability of discovery, and test securety for access control and authentication roadblocks.
Traditional wisdom suggests that browsers are more of a nuisance than a threat. However, the data suggest that browsing is an exploratory activity that leads to theft or attempted theft in a significant number of instances. Organizational policy, employee supervision, and security measures should be reviewed to detect and resolve browsing activities.
To fend off the threat posed by viruses, nearly 83 percent of the respondents to the National Computer Security survey reported that anti-virus software had been loaded on company computers [Koops 99]. Given that this software is easy to use and relatively inexpensive in comparison with the damage a virus could cause, it is somewhat surprising that all companies do not use virus protection. If anti-virus software were installed on all computer systems, many computer crimes would be easier to detect and prosecute, thus reducing the apparent lack of risk of being caught for computer crimes.
A variety of security countermeasures have been considered and put into practice. These included encryption, operations security, cash accounts security, employee training, and firewalls. The analysis shows a significant relationship between file or data encryption and reduced theft of intellectual property. Encryption, therefore, should be considered an important tool for protecting confidential information. However, encryption tools should be reviewed and changed periodically. Breaches of such systems not only have occurred but also have become somewhat of a game.
The DOE envisions four potential scenarios as likely: mandatory escrowed encryption, voluntary escrowed encryption, complete decontrol of encryption, or domestic decontrol with strict export regulations ["Information Security"].
Access Control: RBAC--a Discretionary Access ControlRole-based Access Control is a technical means for controlling access to computer resources. While still largely in the demonstration and prototype stages of development, RBAC appears to be a promising method for controlling what information computer users can utilize, the programs that they can run, and the modifications that they can make. Only a few off-the-shelf systems that implement RBAC are commercially available; however, RBAC is appropriate for consideration in systems that process unclassified but sensitive information, as well as those that process classified information. With role-based access control, access decisions are based on the roles that individual users have as part of an organization ["Role Based" 1].
Users take on assigned roles (such as doctor, nurse, teller, manager). The process of defining roles should be based on a thorough analysis of how an organization operates and should include input from a wide spectrum of users in an organization.
Access rights are grouped by role name, and the use of resources is restricted to individuals authorized to assume the associatedrole. A properly-administered RBAC system enables users to carry out a broad range of authorized operations, and provides great flexibility and breadth of application. System administrators can control access at a level of abstraction that is natural to the way that enterprises typically conduct business. This is achieved by statically and dynamically regulating users' actions through the establishment and definition of roles, role hierarchies, relationships, and constraints. Thus, once an RBAC framework is established for an organization, the principal administrative actions are the granting and revoking of users into and out of roles. This is in contrast to the more conventional and less intuitive process of attempting to administer lower-level access control mechanisms directly (e.g., access control lists [ACLs], capabilities, or type enforcement entities) on an object-by-object basis.
Further, it is possible to associate the concept of an RBAC operation with the concept of "method" in Object Technology. This association leads to approaches where Object Technology can be used in applications and operating systems to implement an RBAC operation.
For distributed systems, RBAC administrator responsibilities can be divided among central and local protection domains; that is, central protection policies can be defined at an enterprise level while leaving protection issues that are of local concern at the organizational unit level. For example, within a distributed healthcare system, operations that are associated with healthcare providers may be centrally specified and pertain to all hospitals and clinics, but the granting and revoking of memberships into specific roles may be specified by administrators at local sites.
Firewalls are software controls that permit system access only to users specifically registered with a computer. As users attempt to gain access to the system, they are challenged to ensure they have an authentic password. Typically, users encounter several challenges, known as layers, for added protection. Although security managers report widespread use of firewalls, the data from an FBI survey showed no significant relationship between this countermeasure and protection of information. Indeed, several respondents' comments suggested that crackers had penetrated their firewalls.
A most recent development in Internet security is a software program called ^Satan^ developed by Dan Farmer and Wietse Venoma. This program is available free to anyone on the Internet. Its purpose is to help administrators of computer systems locate security holes as plug them. The objective is to keep hackers out. However, ^Satan^ critics suggest that the program will be a road map for amateur hackers and may increase hacking break-ins.
Connection to StanfordAs an interesting note, while researching for this web page, the security crew at Stanford ran a Satan security sweep on all residential computers on campus.
The same group also controls the regulations on leland password choices, and promotes the use of Kerberos password encryption. Also installed on the leland system is TripWire -- a break-in detection software.
Meanwhile, in response to (some successful) attacks on the Stanford's CS department's main server, Stanford has disabled clear text access to the machine. Forcing all connections to the machine to be encrypted, this ensures that packet-sniffers are generally ineffective.