Information Systems Audit and Control: Computer Fraud - Essay Example

Information Systems Audit and Control: Computer Fraud Abstract Computer frauds while less frightening than physical violence or intrusion can inflict enormous damage to an organization and community. To prevent this high-tech crimes we must recognized the nature of computer frauds and understand how and why this is being done. In this paper, through conceptual and analytical research, we investigate the elements of fraud and the study the details of the recently committed acts of frauds in various organizations to find out the real cause of such crimes. We then look at the potential of Information Systems Audit and Control to prevent sophisticated computer crimes and further study the auditing procedures and control mechanisms to determine the best possible solution in counteracting frauds. Finally, we present our views on how individual computer users and businesses can help in the successful implementation of various anti-fraud programs. Introduction Computer fraud according to the United States Computer Fraud and Abuse Act is generally committed when a person intentionally or consciously accesses a computer without or exceeding given authorization or such act is intended to obtain valuable things (Vasiu et. al., 2004, p.3). The definition of computer frauds may vary in ways but they all end in one common conclusion; it is an act causing loss of property to another by input, alteration, deletion, and suppression in which offenders are also classified as insiders or outsiders. However, computer frauds are normally committed by “insiders” (Vasiu et. al., 2004, p.4) for an obvious reason. Insiders do know the system and are courageous enough to challenge detection due to their long time exposure and familiarity of the system’s weak points. Nonetheless, this does not negate the possibility that in some situation, the perpetrators may not always necessarily an insider. They may also come externally pretending to be a person with an authorization to take advantage of the vulnerabilities of the system. Password Attacks and Vulnerability Exploitation A good example given by Vasiu et. al. (2004) to one of the dark avenues used to access a computer which can be classified as a password attack relates to a financial consultant in Australia who managed to stash away a hefty amount of money through wire transfer using another person’s name and password. He successfully did this fraudulent act by logging into the Departments network using name and password of an authorized staff and hides the audit trail using another employees authorized access codes. In another situation, probably a classic case of vulnerability exploitation, tells us about a former employee of certain company managed to use his user name and password issued by the company while employed to change customer’s credit card details by remotely logging-in into the company’s network and started making refund to his credit card through the modified accounts (Vasiu, et. al., 2004, p.5). The big question here is how these employees managed to hack the system and what motivated them? According IIA (2003), ‘crime follows money” and as money are available electronically, we can be sure that the criminals are just around the corner (p.1). In addition, it is probably because Information Security is traditionally “not a key factor” (OTA, 1987, p.4) in the design of computer and communication system. The reality that electronic or information technology based commerce is too tempting for an individual who have at least some background on how the system works and in the case of this former employee, he is much aware of the vulnerabilities of the system. In a disgruntled and starving employee, hacking his way through the vulnerabilities and flaws in a system is the easiest thing to do since you can perform such feat remotely in the comfort of your home. As technology becomes more and more convenient and interactive, the lure of fraud seems increasing. In 2002, hackers successfully stole financial information from the State of California’s State personnel database taking away sensitive data including Social Security Numbers and Payroll details. In the same year, covering a ten month period, Social Security and account numbers, and credit histories were stolen from Ford Motor Credit Company. In New York, a security researcher managed to breach security and stole the contents of the New York Times database (Qualys, 2003, p.2). These security breaches that affect many people and businesses must have a reason and we should act in accordance with regulatory law and thwart these sophisticated intrusion. It is therefore necessary for the management to ensure that the controls governing their computer operations are sufficient and safe. Information System Auditing and Controls In the early years of information technology, EDP auditors were the specialist working to assess company’s computer operation but today, as technology evolves, IT auditors are now in-charge of IT issues and governance. IT governance is all about the strategic relationship between IT and the business objectives covering the daily operational management of the Information Systems in a company. In other words, it is the process of directing and controlling the company’s IT infrastructure effectively. The auditing process involves not only examining the computerized sections of the company but looking at the entire systems environment. Their works begins at the start of every transaction making sure that enough audit trails are documented and data are entered into the system properly. Perform integrated testing to check of the systems performs in the manner specified and control any changes in the system to ensure correct permission are given including authorization for critical systems overrides. Determine if sufficient controls and security procedures are being implemented between interconnected computer systems. More importantly, ensure that backup and recovery procedures are in place for business continuity in case of an attack. Information systems audit in general ensures that sufficient controls are adopted to protect or safeguards company’s assets (Qualys, 2003, p.3). Internal controls are made to ensure that consistency and veracity of data are maintained and monitor activities for full compliance of the policies, procedures, and regulations. An organization, in compliance with different regulatory laws must always maintain records for audit trails. This will ensure proper reconstruction of events and individual accountability in case of security breach. Network activities and transactions logging is also very important and must be maintained in a certain period set by law for auditing and other purposes. Audit trail information is a sensitive matter and therefore must be protected from unauthorized access and modifications. There must be audit and variance detection activities to test user and system anomalies and detect violations of the established policies and procedures (Kobus, 2005, p.5-6). Businesses are mostly engrossed in the integrity of computer information neglecting the threats to the “confidentiality of their domestic communication” (OTA, 1987, p.5). Since the greatest threats to the information systems security is within the organization and it always begins with unauthorized access, the best defense against it is the combination of actions to decrease the threat by installing basic safeguards and regular safety checks like password protection and access tables. Having such simple protection will at least help reduce commission of fraudulent acts by some adventurous employee. However, decreasing or deterring attempts is not the primary solution to the problem because simplicity of the protection will only provoke more attempts coming from within or outside the system. The best practice is to provide a specific control that can counteract any attempt to access any part of the system unauthorized. Access Control determines the allowable activities for certain individual or groups, controlling every attempt to access any part or resource of the system. A well structured access control can facilitate effective file sharing and optimal resource protection. It will enable selective file sharing through policies which are high level requirements that indicates how access will be administer, who are the user allowed, and in what certain circumstances they will be allowed. Though a typical access control policy is application-specific, they are more likely relevant to the organizational boundaries and user requirements. It can only allow user access on a need to know basis or base their access policies on the level of competence and authority. Access control policies are implemented through a translating mechanism typically a look-up table that grant or deny access users request. However, a more sophisticated form of security mechanism is a security model specifically created to illustrate the security properties of an access control and presents hypothetical limitations of the system. It is a clear-cut and accurate expression of the security requirements and it can be firm in its execution of a single policy (Hu et. al., 2006, p.15-17) Access control policies are dynamic in nature due to the changing business setting, regulations, and environmental circumstances. Access controls are normally discretionary (DAC) and mostly associated with identity-based access controls. It always leaves a certain amount of access control to the judgment of the owner thus only those specified are allowed to read, write, and execute rights a certain file or group of files. Discretionary approach although favored by many commercial and government establishments is however known to have weaknesses due to the transitiveness of discretionarily granting “read” access to a file. This means when you allow somebody to read your files, that person might be tempted to copy those files into his own control where he will have full rights to edit or allow anyone to see it. Therefore, DAC is not the perfect choice because it allows information to be copied from one object to another; owner decides the privileges rather than following the organizational security requirements; and the absence of restrictions applied to user to safeguard their files (Hu et. al., 2006, p.15-17). The better alternatives are called a Non-Discretionary control that has rules independent of owner’s influence and following certain guidelines determined by user’s specific duty. MAC or Mandatory Access Control is an access control policy where decisions are made not by the owner of the object but by a deputized central authority. It is similar to military security, where the data owner does not have the authority to decide who has the proper clearance to see Top Secret documents or authority to change its classification. This kind of mechanism is required particularly when the assessment of the information system security demands that protection decision must not be given to individual user. Further, the enforcement of the security must be implemented over the wishes or intentions of the owner regardless of confidence and trust. A classification mechanism and drawn boundaries are normally the basis of the MAC policy where users are divided by rules and clearance level (Hu et. al., 2006, p.15-17). ACL is the most common access control mechanism implemented directly in contemporary operating system. ACL works by specifying selected subjects (including their rights) that are allowed to access a particular object. It is a simple but safer way to grant or deny access for particular users or groups. ACL contains tag types which is the file owner or group; Qualifier field contains description of a particular instance of the tag type such userid or groupid; Set of Permission specifies the access right such as read, write, execute etc. The procedure for all type of user is similar, if the user requesting access is in the tag type and the requested permission is allowed by the ACL’s set of permission then access is granted. With ACL, it is easy to determine which user has access to a certain object in the system (Hu et. al., 2006, p.15-17). The volume of data that can be shared and protected depends upon the ability of a company or a business establishment to implement its predefined access policies. No matter how simple or complicated the company’s requirement on information security, the need for sharing and protecting their information is fast becoming sensitive and can be as dissimilar as the application and the particular working environment around it. Each institution has its own tailored policy model that are doing well in their intended environment and sufficiently meeting the organization’s internal and external control requirements (Hu et. al., 2006, p.15-17). With the access control systems in place, it is now up to individual to follow the best practices and never to share passwords to anyone. Always use complex passwords that are hard to guess and make sure to regularly change passwords every 90 days at least. Individual users play a vital role in the prevention of computer fraud and therefore it is their responsibility to ensure that all rules and regulations are followed. Conclusion Computer fraud is a menace to our society and it will stay for as long as there are imperfections in our computer’s security systems. Information systems audit and control plays a major role in the prevention and detection of computer fraud but I won’t work if individual users are not responsible enough to cooperate. Auditing ensures that all of the safety requirements are met and further provide vital information that can be use to create better controls or preventive measures. A computer fraud according to our study starts from unauthorized access due to insufficient access controls and therefore businesses and other establishments should review their access policies and implement a much better access control. A good access control mechanism ensures that all employees comply with the security procedures and access only those resources strictly specified in the control lists. Nevertheless, due to the rapidly changing business circumstances and technology, computer security through Information Systems Audit and Control should be updated regularly to ensure the continuous stability and reliability of the system. Works Cited Hu et. al., 2006, “Assessment of Access Control Systems”, Interagency Report 7316, Computer Security Division, NIST National Institutes of Standards and Technology, Technology Administration, United States Department of Commerce, Gaithersburg MD. IIA, 2003, “Avoiding Identity and Computer Fraud”, Internet Industry Association, IIA Fact Sheet Version 1.0, online, Date of Access: 05/14/07, www.security.iia.net.au/downloads/ avoiding%20id%20and%20computer%20fraud%20-%20ver%201.pdf Kobus Walter, 2005, “Security Audit”, Security Consulting Services, 1804 Small Ct, Raleigh NC 27612-3961, online, Date of Access: 05/12/07, www.tess-llc.com/ Security%20Audit %20PolicyV4.pdf OTA, 1987, “Defending Secrets, Sharing data: New Lock and Keys for Electronic Information”, U.S. Congress Office of Technology Assessments, OTA-CIT 310, U.S. Government Printing Office, LCCCN: 87-619856, ISBN:1428922741 Qualys, 2003, “Strengthening Network Security With Automated Security Audits, Guide White Paper, Qualys Inc., 1600 Bridge Parkway, Redwood Shores, CA. TechTarget, 2004, “Audit and Review: Its Role in Information Technology”, TechTarget.com, online, Date of Access: 05/13/07, http://www.searchsecurity.techtarget.com/searchSecurity /downloads/ Gallegos_AU2032_C02_fm.pdf Vasiu Lucian et. al., 2004, “Dissecting Computer Fraud: From Definitional Issues to Taxonomy”, Deakin University, Proceedings of the 37th Hawaii International Conference on System Sciences – 2004, 0-7695-2056-1/04 $17.00 (C) 2004 IEEE Read More