Prevention

The FBI conducted a national study of corporate security directors to explore the environment of computer crime and identify some critical issues facing policy makers in the future. The creation of computer crime units in the Secret Service, Air Force Office of Special Investigations, FBI, and a small number of state and local agencies shows that law enforcement agencies are beginning to recognize the significance of computer crime. However, many people involved in computer security issues feel the weakest link is the lack of education in law enforcement relating to computer-technology crimes. The law enforcement community has devoted itself to the high priority violent crimes, lumping computer crimes into a low priority status, yet the losses to computer crime could fund a small country [Carter 96]

Some security professional believe that most cases of browsing are simply curiosity or "cybervoyeurism" with no malicious intent. They believe that most hackers are interested in the challenge of breaking into a computer system rather than in committing a theft. Despite some individual experiences, research indicates otherwise. There were significant relationships between browsing by full-and part-time employees and their attempts to steal both intellectual property and money. While not as strong overall, a significant relationship between browsing and the theft of intellectual property, but not money, also exists. With the growth of networking, a similar analysis in the next two years or so might find different results. In the case of stealing intellectual property, browsing apparently served as a means to identify the nature of available information, its potential value, and the ability to steal the data. In the case of money, browsers most likely sought to learn the computer system's file structure, determine transaction protocols, locate accounts most susceptible to theft with a lower probability of discovery, and test securety for access control and authentication roadblocks.

Traditional wisdom suggests that browsers are more of a nuisance than a threat. However, the data suggest that browsing is an exploratory activity that leads to theft or attempted theft in a significant number of instances. Organizational policy, employee supervision, and security measures should be reviewed to detect and resolve browsing activities.

To fend off the threat posed by viruses, nearly 83 percent of the respondents to the National Computer Security survey reported that anti-virus software had been loaded on company computers [Koops 99]. Given that this software is easy to use and relatively inexpensive in comparison with the damage a virus could cause, it is somewhat surprising that all companies do not use virus protection. If anti-virus software were installed on all computer systems, many computer crimes would be easier to detect and prosecute, thus reducing the apparent lack of risk of being caught for computer crimes.

A variety of security countermeasures have been considered and put into practice. These included encryption, operations security, cash accounts security, employee training, and firewalls. The analysis shows a significant relationship between file or data encryption and reduced theft of intellectual property. Encryption, therefore, should be considered an important tool for protecting confidential information. However, encryption tools should be reviewed and changed periodically. Breaches of such systems not only have occurred but also have become somewhat of a game.

The DOE envisions four potential scenarios as likely: mandatory escrowed encryption, voluntary escrowed encryption, complete decontrol of encryption, or domestic decontrol with strict export regulations ["Information Security"].

1. Complete decontrol of cryptography.

The use of strong encryption by the United States public, as well as its export by United States manufacturers, could be completely decontrolled by the government at the direct expense of law enforcement and national security. This would please some members of the public, for they would have maintained control over their privacy. United States manufacturers of encryption products would also likely benefit from this move.

2. Domestic decontrol of cryptography with export regulations.

Strong encryption could remain decontrolled for use by the general public, but strict regulations would remain on its export. While the American public would still be relatively content, United States industries would lose sales and potential market share due to exclusion from the lucrative international market for encryption products. The large domestic market, however, would remain open, guaranteeing some revenues for encryption product manufacturers. Law enforcement agencies, on the other hand, would lose in the short term in either of these scenarios, because their electronic surveillance abilities would be diminished.

3. Voluntary escrowed encryption. Escrow a de facto standard.

(This is the Clinton administration's proposed scenario.) The escrowed encryption standard could become a de facto national standard for voice, fax, and data communications over the public switched telephone network. While other encryption products would be built, they would gain little market acceptance because of demand for interoperability. Thus, law enforcement would be able to listen in on most transmissions. The encryption technology might be exportable to countries that implemented the same or a similar scheme and agreed to cooperate in international investigations. United States manufacturers might gain or lose in this scenario; they would gain only if Clipper received widespread acceptance. Law enforcement agencies would gain.

4. Mandatory escrowed encryption.

The government could choose to keep complete control over encryption and enforce a technology similar to the escrowed encryption standard. Law enforcement agencies would come out as winners for having maintained their surveillance capabilities. But a black market for foreign encryption products smuggled into the United States would probably be created by members of the public, including criminals, who desire more secrecy. How United States companies would react in this scenario depends on whether this government enforced standard is designed to be exportable or not. If it is unexportable, United States companies currently involved in the manufacture and sale of encryption products would be almost completely blocked from the international market and would be restricted to marketing the government enforced standard domestically. This would result in considerable financial loss for the industry. Some observe [65] that mandatory escrowed encryption can never be exportable, since if it were then products would be used in one country whose keys were escrowed elsewhere (or not at all), and this would not come to the attention of the exporting country's authorities until they attempted to snoop on someone; they would be reduced to prosecuting that person, if at all, for using a non-escrowed encryption device. If, on the other hand, the standard is an exportable item, and designed with an eye to the requirements of the international market, then United States companies would be better off and could maintain a level of international economic competitiveness.

Access Control: RBAC--a Discretionary Access Control

Users take on assigned roles (such as doctor, nurse, teller, manager). The process of defining roles should be based on a thorough analysis of how an organization operates and should include input from a wide spectrum of users in an organization.

Access rights are grouped by role name, and the use of resources is restricted to individuals authorized to assume the associatedrole. A properly-administered RBAC system enables users to carry out a broad range of authorized operations, and provides great flexibility and breadth of application. System administrators can control access at a level of abstraction that is natural to the way that enterprises typically conduct business. This is achieved by statically and dynamically regulating users' actions through the establishment and definition of roles, role hierarchies, relationships, and constraints. Thus, once an RBAC framework is established for an organization, the principal administrative actions are the granting and revoking of users into and out of roles. This is in contrast to the more conventional and less intuitive process of attempting to administer lower-level access control mechanisms directly (e.g., access control lists [ACLs], capabilities, or type enforcement entities) on an object-by-object basis.

Further, it is possible to associate the concept of an RBAC operation with the concept of "method" in Object Technology. This association leads to approaches where Object Technology can be used in applications and operating systems to implement an RBAC operation.

For distributed systems, RBAC administrator responsibilities can be divided among central and local protection domains; that is, central protection policies can be defined at an enterprise level while leaving protection issues that are of local concern at the organizational unit level. For example, within a distributed healthcare system, operations that are associated with healthcare providers may be centrally specified and pertain to all hospitals and clinics, but the granting and revoking of memberships into specific roles may be specified by administrators at local sites.

Firewalls are software controls that permit system access only to users specifically registered with a computer. As users attempt to gain access to the system, they are challenged to ensure they have an authentic password. Typically, users encounter several challenges, known as layers, for added protection. Although security managers report widespread use of firewalls, the data from an FBI survey showed no significant relationship between this countermeasure and protection of information. Indeed, several respondents' comments suggested that crackers had penetrated their firewalls.

A most recent development in Internet security is a software program called ^Satan^ developed by Dan Farmer and Wietse Venoma. This program is available free to anyone on the Internet. Its purpose is to help administrators of computer systems locate security holes as plug them. The objective is to keep hackers out. However, ^Satan^ critics suggest that the program will be a road map for amateur hackers and may increase hacking break-ins.

Connection to Stanford

The same group also controls the regulations on leland password choices, and promotes the use of Kerberos password encryption. Also installed on the leland system is TripWire -- a break-in detection software.

Meanwhile, in response to (some successful) attacks on the Stanford's CS department's main server, Stanford has disabled clear text access to the machine. Forcing all connections to the machine to be encrypted, this ensures that packet-sniffers are generally ineffective.