Cmpe 471 Computer Crime: Techniques and Countermeasures

Preventing Computer Crime Proper employee relations –careful supervision of employees’ state of mind –take note of unusual personal problems –beware if the employee radiates negative energy about the systems, peers and the company in general –try to solve the problem before it becomes a physical attack –take measures to prevent unauthorised access to information assets

Take physical measures for piggybacking –Guard –physical gates –outsourced external security company –proper guard back-up procedures –prevent more than one person to enter: man- trap: Kuzey Kampus, GarantiB headquarters Preventing Computer Crime

Preventing logical piggybacking –Unattended terminals or PCs are the portals for logical piggybacking –configurable time-out function –automatic branching to a security screen –user-configurable screen lay-out for re-authentication –integration with a security database –automatic return to the previous (interrupted) state –apply biometrics Preventing Computer Crime

Controls Against Program Threats –Software development the design writing testing –Programming Controls –Description of the programming task individual task that requires independent thought programs are very individualistic programmers are solitary people who enjoy working alone programming is an art only understood by programmers Preventing Computer Crime

Controls Against Program Threats –None of these arguments hold true!!! –The basic principles of software engineering are division of labour reuse of code use of standard pre-constructed software tools organised activity –Peer reviews: code and design –modularity, encapsulation and information hiding Preventing Computer Crime

Controls Against Program Threats –Writing code in small self-contained units: modules advantages for program development and security a module can be isolated from the negative effects of other models with which it interacts: encapsulation –Information hiding: other modules know that a module performs a certain task, but not know how it performs that task Preventing Computer Crime

Controls Against Program Threats –Modularity: Unity: performs one purpose Smallness: consists of an amount of information of which a person can readily grasp both structure and content Simplicity: low degree of complexity so that a person can readily understand the purpose and structure of the module Independence: performs a task isolated from other modules maintenance: a module can be replaced with a revised one understandability: small modules are easier to understand reuse correctness: an error can be found and corrected easily testing: a single module with well-defined inputs, output, function can be tested without effecting other modules Preventing Computer Crime

Controls Against Program Threats –From a standpoint of security, programmers and analysts must be able to understand each module as an independent unit and be assured of its limited effect on other modules –Proper modularity leads to modules that have minimal interaction with other modules Preventing Computer Crime

Encapsulation Tight coupling Independent, loosely coupled modules

Information hiding Access to all parts of module Method, data hidden

Configuration Management A person or system controls and records all changes to a program or documentation change control board –judges the desirability and correctness of all proposed changes to guard against loss of a version of a program to manage the parallel development of several similar versions of one program to provide facilities for controlled sharing of modules that combine to form one system

Configuration Management Security advantages: –protects against unintentional threats –guard against malicious ones –protects integrity of programs and documentation

Proofs of Program Correctness A security specialist wants to make sure that a given program computes a particular result and computes it correctly. Program correctness proofs are hindered by several factors: –depends on the programmer to translate program’s statements into logical implications- translation is prone to errors

Proofs of Program Correctness –Deriving the correctness proof from the initial assertions and the implications of statements is difficult; less appropriate for large programs –the current state of program verification is well- developed than code production; consistent and successful application to large production systems is a challenge.

Process Improvement Development stages: –system requirements design –software requirements analysis –preliminary design –detailed design –coding and unit testing –component integration and testing –subsystem integration and testing –system integration and testing

Process Improvement Each of these phases has the following requirements: –software development management: planning, organisation, reviews –software engineering: development, decomposition, adherence to standards for coding and language –formal qualification testing –software product evaluation –configuration management

Capability Maturity Model Software Engineering Institute (SEI) grants CMM levels from 1 to 5, 5 being the highest standard –Initial –Repeatable –Defined –Managed –Optimising

Administrative Controls Standards of program development Enforcing program development standards –security audits –segregation of duties