Preventing Computer Crime

Hollywood and newspapers love computer crime. It sells tickets and newspapers. For movies, it's an area that's ripe for artistic license since so few people understand the realities surrounding computer crime. Words like "password sniffers," "Trojan horses," "denial of service," and "salami attacks" attract attention. This column will define some of the terms that people use in the computer crime area and make some suggestions that will reduce the possibility of you becoming a victim.

Some Definitions

"Password sniffing" is the fear of every network. It starts with a computer monitoring all the traffic on a network. What a password sniffing program does is collect the first group of bytes of information on each connection. These first bytes usually contain essential information like the username and password. The hacker then uses another program, which sifts through this collected information, to find the important information. Armed with the username and password, a hacker is now into a computer network where he doesn't belong and may wreak havoc.

The way to stop password sniffing is relatively straightforward. It's usually as simple as encrypting (encoding) logon information. Still, not all networks do this and the ones that don't are vulnerable to this type of attack.

"Trojan horses" are as treacherous inside computers as the Trojan Horse was during the Trojan War. We all know the story of how the Greeks hid soldiers inside of a large hollow wooden horse. In a similar fashion, a hacker hides a computerized version of a Trojan horse inside of what appears to be a useful program.

The typical scenario might have an unsuspecting Internet surfer downloading what appears to be a fun game. Little does she know that the fifth time she starts her new game, instead of the game starting, a destructive program will be unleashed that may trash her hard drive or do something similarly destructive.

"Denial of service" is a general term that encompasses several different types of attacks on systems. Generally, a "denial of service" is a type of attack that prevents any part of a computer system from functioning correctly. It can be low–tech, like blowing up the building or turning off the power, or high–tech.

Of course, the high–tech attacks are the interesting ones. These might involve programs that "flood" or "spam" a system. Instead of shutting it down, these attacks typically involve the use of programs that create so much work for a computer that it essentially churns to a halt.

Imagine arriving to the office one morning, turning on your computer as you always do, connecting to the Internet, starting your e-mail program and being greeted by thousands and thousands of e-mails from some unknown sender. You have just been victimized by a "denial of service" attack.

Another common form of a high tech "denial of service" attack is when a website like Amazon.com is targeted. The website is flooded with download requests, so many in fact that the the website server can't keep up. New requests are placed at the end of the queue, and thus processed very slowly, if at all. This is what usually happens when one of the major e-commerce or news websites is "down."

A "salami attack" has nothing to do with heartburn and Tums. Rather, it's an assault on financial data. It involves stealing money one slice at a time. The strategy is to steal small amounts of money for many accounts. This technique depends on the fact that most people will not notice or complain about a small discrepancy in their account. Imagine a bank employee who had a program that could deduct a dime from all interest payments that exceeded $50 and deposit them in his account. How long would it take before somebody noticed? Meanwhile, we would have one rich thief.

Preventing Problems

Security and convenience are usually trade-offs. The simple fact is that if you put too many locks on a door, then people don't use the locks. Nobody wants to use a computer that requires several different and unique passwords to logon. We all hate it when a system logs us off after only five minutes of not using it, but five minutes is a long period of vulnerability if you walk away from a keyboard.

Achieving the balance between security and convenience is often quite a challenge. The starting point is to perform a risk analysis. Remember that your goal isn't perfect security because perfect security probably means that your system will be difficult to impossible to use. Rather, your goal is to achieve that magical balance that won't cause users to find ways to thwart your security because it hampers their work.

Start your risk analysis by looking at your threats. Obviously, the CIA has different threats than Mary's flower shop. Still, Mary doesn't necessarily want employees rummaging through payroll and banking records. Your threats may include people like employees, criminals, and spies, and events like natural disasters and fires.

The next step is to look at your vulnerabilities. "Vulnerabilities" are places where your system is susceptible to attack. Here, you want to look at things like employee training and loyalty (or the lack thereof), interconnections with other networks, including the Internet, and the fact that your office is located on the coast of a hurricane–prone area.

Assessing risks and vulnerabilities is all about asking lots of questions. Who might attack you? What would they be looking for? How would they get in? What are your risks from natural disasters? Are you reasonably protected from fire?

After you have assessed your threats and vulnerabilities, the next step is to evaluate some appropriate countermeasures. Try to be proactive rather than reactive. By "proactive," I mean performing this assessment and evaluating appropriate countermeasures before you have a problem. Human nature is such that too often people perform "reactive" assessments after they have a problem. You really don't have to wait to have a burglary to put in a burglar alarm.

Before you have a problem is the time to be creative in deciding what can go wrong and what reasonable measures you can take to prevent it from happening. You need to look not only at your procedures, but also at how your people are implementing them. For example, while it's useful to have encryption built into your security, it only helps if your employees use it.

It all comes back to what I said at the beginning of this article. Security and convenience are usually trade-offs. If it takes 20 keystrokes and a minute to encrypt a single file, you're going to find that your employees encrypt few files. Your countermeasures must be useful as well as usable.