ORGANIZATIONS, EMPLOYEES AND COMPUTER CRIMES
PhD student Dana Ramona ANDRIŞESCU,
Doctoral School of Economy, AlexandruIoanCuzaUniversity, Iaşi
E-mail:
Abstract
Computer crimes are evolving at a fast pace along with the development of technologies. Not only their number is rising but also their complexity and number of persons involved. Both individuals and organizations face a new type of threat, that of electronic crime done using the Internet and the available information and communication technologies. Organizations have to deal with employees when the security policies are broken, when crimes have been done or something wrong is about to happen. In this paper we will try to show the types of computer crimes employees can do in an organization by using its resources. Employers face many losses like money, resources, time, and clients and so on. That is why we are going to present the basic means of protection for an organization to take when dealing with disgruntled employees. Once security policies established, the organization has to make sure they are respected all the time and make employees be aware of the dangers they are facing, not only because of their own wrong doings but also as victims. We will also show that in order to prevent computer crimes employees must be trained on information security, on consequences of their actions, the information they are allowed to use and what dangers are facing when using a computer and especially one connected to the Internet. The predisposition to crimes comes from inside every individual but also because there are external factors that are influencing him or her and that is why we will see which factors of influence determine the criminal personality.
Keywords
Organization, employee, attacks, computer crimes, security
1. INSIDER THREAT
Information and computer security has become an important issue for any organization that wants to preserve clients, suppliers, employees, resources and have a fruitful activity. We know that many consider this as an easy thing to do, but in reality, due to employees and their wrongdoings, security becomes vital. Knowing how to deal with people and use the appropriate technologies for protection means the survival of the organization. An organization loses data because of employees who can throw or delete data and documents by mistake, steal storage devices, launch attacks from inside or outside the organization or are victims of other cyber criminals. Together with the data loses;organizations lose good employees, expensive and important devices, money, clients, suppliers, investments and so on. In this paper we are going to see what insider threat is all about, what attacks can be launched by insiders and some basic measure to protect against employees and other intruders.
In today’s organizations, computers have become an important factor for success. Using them in the best way possible makes a successful business. The most losses coming from wrongdoings using the computer come from inside, from disgruntled employees, ex-employees, or sites whichdistribute sensitive information about an organization’s internal dealings. With all the security measures taken, organizations cannot overcome the power of the human mind set to break the rules, the limits and the codes. When somebody wants to get something for personal use he/she or the group he/she is taking part in will do anything to get to their goal fulfilled. Insiders are dangerous as they know the network, the computers, the resources available, and how things work. They may also know more about the infrastructure’s strengths and weaknesses, thus increasing the likelihood of the electronic attack being successful.
An insideris anyone in an organization with approved access, privilege, or knowledge of information systems, information services, and missions [1].By default, insiders are trusted; they are already on organization’s systems and usually within or behind most of technical security controls. They usually have some type of authority on the systems they plan to attack. In some cases, this authority is highly privileged (e.g. systems administration) allowing the insider either to abuse that privilege or gain higher privileges through some means (e.g., social engineering, shoulder surfing, sniffers, and so on)[2].
An insider can be[3]:
-an employee, student, or other “member” of a host institution that operates a computer system to which the insider has legitimate access;
-an associate, contractor, business partner, supplier, computer maintenancetechnician, guest, or someone else who has a formal or informalbusiness relationship with the institution;
-anyone authorized to perform certain activities, for example a bank’scustomer who uses the bank’s system to access his or her account;
-anyone properly identified and authenticated to the system including,perhaps, someone masquerading as a legitimate insider, or someone towhom an insider has givens access (for example by sharing a password);
-someone duped or coerced by an outsider to perform actions on theoutsider’s behalf;
-a former insider, now using previously conferred access credentialsnot revoked when the insider status ended or using access credentialssecretly created while an insider to give access later.
As we can see, there are many insiders that could threat an organization. But let us see what insiders’ and employees’ motives for computer attacks that become crimes could be[4]:
-stressful events;
-making an unintentional mistake;
-trying to accomplish needed tasks – this way over passing the security;
-organizational sanctions;
-trying to make the system do something for which it was not designed;
-as a form of innovation to make the system more useful or usable;
-trying to over pass the systems, its capabilities, testing the limits of authorization;
-predispositions towards crimes;
-personal past events, sanctions or convictions;
-checking the system for weaknesses, vulnerabilities or errors, with the intention of reporting problems;
-killing time for fun, boredom, revenge or disgruntlement;
-acting with the intention of causing harm, for reasons such as fame,greed, capability, revenge, divided loyalty or delusion;
-lack of electronic and physical control, everybody is doing what they want.
Understanding the factors that may be directly or indirectly responsible for the insider threat should allow us to choose better mitigation strategies and, in some cases, be preventative and proactive rather than being solely reactive as we currently are. At a high level, the factors can be categorized as business culture and society. Under the heading of business culture, we have subcategories of ethics and morals and a transient workforce. Society is subdivided into economy, morality, and social learning.
At the most basic level, the problem of insider attacks is a people issue, not a technology issue. The insider threat is a problem faced by all industries and sectors today. It is an issue of growing concern as the consequences of insider incidents can include not only financial losses, but the loss of clients and business days. The actions of a single insider can cause damage to an organization ranging from a few lost staff hours to negative publicity and financial damage so extensive that a business may be forced to lay off employees or even close its doors. Furthermore, insider incidents can have repercussions extending beyond the affected organization to include disruption of operations or services critical to a specific sector[5]. As many incidents are not reported to the law enforcements, nothing can be done against the disgruntled employees.
According to e-Crime survey done in 2009 on 307 KPMG’s clients[1]revealed that internal e-Crime risks of most concern in the current economic climate are:
-theft of customer or employee data by insiders or ex-employees;
-knowledge of weak points in business processes/systems being deliberately exploited by insiders or ex-employees;
-theft of intellectual property or business sensitive data by insiders or ex-employees;
-loss of undocumented business knowledge relevant to security;
-employees placing personal information on the Internet that can be exploited by attackers;
-knowledge of weak points in business processes/systems being sold.
Not only the organizations are threaten but also their clients as their data is being stolen and used to obtain some gains. According to Lumension[2],in order to mitigate the risk posed by insiders, it helps to understand who these people are [6].
Petty Identity Thief. One of the most common malicious insiders is theunsophisticated employee or partner looking toscore a few sets of customer data here and thereto commit small-scale ID theft on his own.
Data Fencer. Instead of using the data himself/herself to commit fraud, he/she’ll simply sell it to one of the numerous criminal elements out there in the ID theft underground that buys personally identifiable information in bulk. This type of insider can inflict a lot more damage on the organization as he/she’s usually looking to score a large database or list of names.
Ladder Climber. This particular insider often doesn’t believe he’s/she’s stealing. He’ll/she’ll collect customer lists or intellectual property so thathe/she can take them with him/her when he/she gets hired on by a competitor.
Saboteur. Rather than stealing information, this type of malicious insider is slightly more emotional. He/She’s simply looking to hurt the employer rather than to makefinancial gains. He/She might want to do so in retribution for a firing or perhaps because he/she disagrees with some company policy or activity the organization is involved in. This insider can be especially dangerous if he/she’s a knowledgeable IT worker with special access privileges.
Clueless Rube. This type will load unauthorized P2P software on his machine, recklessly transfer sensitive data on unprotected USB devices and click into any old e-mail or website - regardless of how sketchy it looks - for his personal pleasure. This is the mostprevalent insider threat and, sadly, outsiders know it.
Marcus Rogers in his article, Internal Security Threats[7], says that to appreciate fully the risk presented by insiders, it is necessary to break the group into subcategories. The choice of exact categories is somewhat arbitrary but the author uses these categories:
-Disgruntled employees - the most common type of an inside attacker. The category covers current employees, ex-employees, contractors, and consultants.
-Hackers – individuals with disregard for convention and rules, loose ethical boundaries, ambiguous morality, disregard for private property for their own gains. These individuals believe that rules do not apply to them and that there should be no restrictions on what information is available to them. They also believe that information, regardless of its level of business sensitivity, should be shared with the outside world, especially with their hacking friends.
-Criminals (organized and individual). This category has two sub groupings, petty criminals and professional criminals. Petty criminals are individuals who display criminal behavior or intent but do not derivethe majority of their livelihood from criminal activities. Professional criminals derive the majority of their incomefrom their criminal activities and, in some cases, have ties back to organized or quasi-organized crime.
-Spies (corporate and foreign national). Competition sends fake employees to get information and insights from the enemy in order to get some advantages and make their enemies loose clients, employees, money, market share and so on, just for their own good and win.
-Terrorists (foreign and domestic). Having people on the inside, either spies or simply individuals sympathetic to the group’s cause, is a tactical advantage. Insiders can join forces with the outside terrorist harming in different ways the organization and its people.
These are somewhat fluid categories and are not considermutually exclusive. In some cases, an individualmay migrate between two or more groups during histenure with an organization (e.g., hackers to disgruntledemployee).
In taking a closer look at the traditional insider attack where the trusted individual consciously commits an act of fraud or sabotage, two elements are always at play: the motivation to commit the act and the means to do so.Many insiders are successful because their organizations simply do not have the proper tools in place to enforce policies or even monitor employee and partner activity.
Organizations should not let their employees and any other person entering its grounds without being supervised. Using the right prevention methods, IT staff can drastically reduce the opportunity insiders have to cause harm to an organization.
- ATTACKS
Because information technology is available to everybody today and information is everywhere, it is not hard to become an electronic criminal. Attacks have diversified, from password phishing to hacking into computers for information stealing. Organizations’ computers became priceless as they store valuable data. As Kevin Mitnick said, and we agree with him, “people are the weakest link” as they can be exploited but they are also the most powerful tool for breaking the rules and surpass security and technology. Attackers take advantages of computers’ vulnerabilities and people’s weaknesses to get to their goal of obtaining some sort of benefit, from revenge to money. Attackers are also well aware that virtually all computers are interconnected by the Internet or private networks. In addition, mobile and handheld devices with Internet connectivity have steadily grown in popularity. Networks make attacks easier to carry out remotely and more difficult to track to their sources. We are going to see next the attacks that insiders are doing to harm to other employees or other colleagues.
In the figure below we are going to see the taxonomy of attacks, as presented by Chen Thomas and David Chris[8].Attacks directed at specific hosts include sniffing, session hijacking, exploits of vulnerabilities, password attacks, denial of service, and social engineering. Social engineering can also be used in large-scale indiscriminate attacks. Other large-scale attacks include spam and malicious code (otherwise known as malware).
Fig.1. Taxonomy of attacks
(Source: Chen, T., David, C., An Overview of Electronic Attacks in Kanellis, P., Kiountouzis, E., Kolokotronis, N., Martakos, D., Digital Crime And Forensic Science in Cyberspace, Idea Group Publishing, 2006, p. 3)
These are some of the attacks as they can be combined in order to break networks, systems, computers to obtain information for some gains. We are going to describe shortly every attack shown in the above figure in order to know how to protect from cyber criminals.
Sniffing is a passive attack that attempts to compromise theconfidentiality of information. Sniffing utility is able to capture any traffic along the network, hoping to identify valuable information such as used IDs and passwords. If a laptop is used for this attack it is very hard to identify it as it is portable and easy to conceal.
Session hijacking is a combination of sniffing and address spoofing [3]that enables the compromise of a user’s remote login session, thus providing an attacker unauthorized access to a machine with the privileges of the legitimate user. Address spoofing is sending a packet with a fake source address. This is quite simple because the sender of an IP packet writes in the IP source address in the packet header. Address spoofing enables attackers to masquerade as another person.
Exploiting refers to using some methods to exploit the characteristics of the protocols, operatingsystem, or application software used on the targeted system or network, just as a master thief might exploit the fact that a building has ventilation shafts and usethem to enter the premises[9].
Password attacks attempt to gain access to a host or service with the privileges of a current user. Passwords continue to be very frequently used for access control despite their major weakness: if a password is guessed or stolen, an attacker could gain complete access. The well-protected systems could be compromised by a single weak password. Understandably, many attacks are often directed at guessing or bypassing passwords. They can be acquired through different techniques like brute force, recovery and exploitation of passwords stored on the system, use of password decryption software and social engineering.
In a denial-of-service (DoS) attack, an attacker attempts to prevent legitimate users from accessing information or services. By targeting a computer and its network connection, or the computers and network of the sites somebody tries to use, an attacker may be able to prevent the user from accessing email, web sites, online accounts (banking, etc.), or other services that rely on the affected computer[10]. Most people tend to think of denial of service (DoS) attacks as flooding, but at least four types of DoS attacks can be identified: starvation of resources on a particular machine; causing failure of applications or operating systems to handle exceptional conditions, due to programming flaws; attacks on routing and DNS; blocking of network access by consuming bandwidth with flooding traffic.
In computer security, social engineering[11] is the practice of obtaining confidential information by manipulation (using social skills) of legitimate users. A social engineer commonly uses the telephone or Internet to trick a person into revealing sensitive information or getting him to do something that is against policy. Employees trick their colleagues by getting close to them and slime pass convince them to reveal sensitive information. With this method, social engineers exploit the natural tendency of a person to trust their word, rather than exploiting computer security vulnerabilities. People don’t know about this attack, have too much confidence, they don’t care or they go on the principle “it cannot happen to me”.
Malicious codes are software codes built for doing harm to other people’s computers. They are also known under the name of malware, the general term covering any type of software that is created to cause damage to devices or to collect confidential data from users. Among them we can recall viruses, worms, adware, spyware and Trojan horses, the most obvious and present threat to data security that require measures for prevention and fight.Viruses are software malicious code that are replicating and modifying other software. Worms can cause malfunction of the system. Trojan horses can be combined with many of the other attack types (such as social engineering) to compromise security for just about any purpose. Adware is software to monitor and profile a user’s online behavior, typically for the purposes of targeted marketing. A more serious and growing concern is another type of software that profiles and records a user’s activities, called spyware. Spyware, like adware, is an attack on user privacy, but spyware is also more likely to compromise confidential data for identity theft.