Information Risk and Security
eBook - ePub

Information Risk and Security

Preventing and Investigating Workplace Computer Crime

  1. 362 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Information Risk and Security

Preventing and Investigating Workplace Computer Crime

About this book

Information Risk and Security explains the complex and diverse sources of risk for any organization and provides clear guidance and strategies to address these threats before they happen, and to investigate them, if and when they do. Edward Wilding focuses particularly on internal IT risk, workplace crime, and the preservation of evidence, because it is these areas that are generally so mismanaged. There is advice on: ¢ preventing computer fraud, IP theft and systems sabotage ¢ adopting control and security measures that do not hinder business operations but which effectively block criminal access and misuse ¢ securing information - in both electronic and hard copy form ¢ understanding and countering the techniques by which employees are subverted or entrapped into giving access to systems and processes ¢ dealing with catastrophic risk ¢ best-practice for monitoring and securing office and wireless networks ¢ responding to attempted extortion and malicious information leaks ¢ conducting covert operations and forensic investigations ¢ securing evidence where computer misuse occurs and presenting this evidence in court and much more. The author's clear and informative style mixes numerous case studies with practical, down-to-earth and easily implemented advice to help everyone with responsibility for this threat to manage it effectively. This is an essential guide for risk and security managers, computer auditors, investigators, IT managers, line managers and non-technical experts; all those who need to understand the threat to workplace computers and information systems.

Trusted by 375,005 students

Access to over 1.5 million titles for a fair monthly price.

Study more efficiently using our study tools.

Information

Publisher
Routledge
Year
2017
Topic
Computer Science
eBook ISBN
9781351927550
Subtopic
Business General
Index
Computer Science

CHAPTER 1 Perception of Risk

It doesn’t work to leap a twenty-foot chasm in two ten-foot jumps.
Proverb
The premises of this chapter are:
The perception of risk in many organizations is often biased, ill-focused or based on unfounded presumptions.
Security efforts are disproportionately expended on combating external threats.
The gravest potential risks to business continuity reside within the firewall.
Inadequate controls are presumed to be effective.
Risk assessment methodologies fail to identify catastrophic risks because they rely upon generic formulae that are of marginal value when applied to highly specialized industries, sectors and operating environments. As a result, the corporate ‘jugular vein’ (or Achilles heel) is rarely identified or defended.
Rules-based risk assessment methodologies, checklists and conventional audit strategies reflect the experience and prejudices of their authors, often ignore fraud or under-emphasize its potential impact, and often fail to address the risks associated with emerging technologies, products, methods or operations because they are neither current or updated.
Organizations are ill-prepared to detect or respond to deviance or serious criminality within the workplace because so much emphasis is nowadays placed on trust and ‘empowerment’ of the workforce, rather than on vigilance and control.

A biased perception

Understandably, senior management’s perception of risk across all industries and sectors was massively influenced by the terrorist attacks on the World Trade Center (WTC) in New York on 11 September 2001. This event galvanized the business world, engendering a massive global investment in disaster recovery planning, effort and expenditure.
Having listened to IT security and risk managers across a range of businesses, I have been struck by how often these professionals seek to impress upon their audiences how proactive they are in regard to ‘DR’ (disaster recovery). The somewhat limited definition of DR adopted in these instances has tended to focus on recovering data processing operations and IT capability in the event of bombs, fires, floods, power failures, or force majeure. In the wake of 9/11 there has undoubtedly been a wide-scale reassessment and overhaul of methods, procedures and capabilities should these potential disasters strike, and this endeavour has clearly been significantly driven at the most senior levels of management. Most mature businesses worldwide have now implemented baseline contingency planning to survive even the most extreme physical disasters.
By 2001, fires and explosions were in the forefront of the contingency-planning consciousness of those in the twin towers, due to the previous bombing of the WTC on February 26, 1993. The impact of that bomb caused businesses within the WTC to re-assess their procedures. Backup and restoration operations were vigorously tested and businesses availed themselves of both hot and cold standby processing facilities. The beneficial result of this was that many operations were technically up and running within hours of the planes hitting the towers on the morning of September 11. However, many skilled people who operated these systems, such as the trading specialists in firms like Cantor Fitzgerald, died in the attack. As a result, widespread distribution of key operations and personnel, rather than their more common centralization within a single building, is a key tenet of current disaster recovery philosophy.
The range of other man-made and natural disasters that features in the textbook disaster-recovery programme are familiar to most IT managers and are, by and large, suitably accounted for. Most of these potential contingencies have been known about and considered over many decades, which largely explains why no major company located in the WTC went out of business following 9/11.
fig1_1
Figure 1.1 The terrorist attack on the World Trade Center (EMPICS/PA)
This is a fact and it is worth re-emphasizing:
No major company located in either of the twin towers went out of business as a result of the terrorist attacks of September 11, 2001.1
Businesses understand physical risks and have prepared effective contingency plans to mitigate them – even more so in the aftermath of 9/11. However, there are many business risks that are rarely contemplated, or addressed at all by contingency plans.
It is instructive to compare and contrast the successful disaster recovery strategies put into action in the immediate aftermath of the WTC attacks with another spectacular business disaster, which happened some six years earlier.

Nick Leeson: a threat from within the firewall

The collapse of Barings Bank in February 1995 is a quintessential tale of risk management gone wrong. Astonishingly, the failure was caused by an individual, operating alone, and without supervision.
Nick Leeson was appointed as a general manager at Barings Securities (Singapore) Limited in 1992. Upon arrival Leeson was not qualified to trade on the Singapore Money Exchange (SIMEX) but he quickly set about gaining the necessary qualifications to do so.
Due to a lack of managerial supervision and non-existent controls, Leeson soon assumed three roles that should strictly have been mutually exclusive. In addition to his official role as general manager, he soon became head trader and, concurrently, head of the back office. This was a fundamental conflict of interest that ran contrary to the most basic rule governing trading and settlements operations, which stipulates that control of the front office and back office should be strictly segregated.
The story of Leeson’s subsequent unauthorized trading on the Japanese Nikkei and its disastrous consequences is well documented, not least by Mr Leeson himself in his book Rogue Trader.
Using a trick seen in many accounting frauds he hid the extent of his unauthorized trading position and losses in a suspense account, numbered 88888. Leeson claims that he originally used this ‘lucky’ account to conceal a modest loss accumulated accidentally by one of his traders. However, the enormity and extent of his trading indicates that he was actually speculating, but with virtually no success. Leeson was devoid of luck and lost money almost from the outset. In increasingly desperate attempts to balance the books he increased his bets but this only served to increase his losses. In 1992, his accumulative loss amounted to approximately £2 million. A year later, this had risen to £23 million and by 1994 Leeson had defaulted to the tune of £208 million.
On February 23, 1995, Nick Leeson and his wife fled Singapore for Malaysia leaving a massive £827 million deficit in the Barings balance sheet. By the time he was arrested in Frankfurt, Leeson had bankrupted Barings, which was subsequently sold to the Dutch bank ING for the nominal transfer value of £1.
Nick Leeson, acting alone, destroyed Barings Bank. Nobody in London or Singapore had foreseen the impending disaster, or sounded the alarm. Control failures apparent in the Barings fiasco included:
The initial failure to establish controls when the Singapore office was inaugurated.
The consequent failure to segregate the trading floor from the back office, which provided Leeson with the opportunity to conceal his losses.
The lack of local management, experience, knowledge or oversight, which enabled Leeson to act autonomously.
A confusing, ill-defined and opaque reporting structure, which obscured Leeson from view and protected him from effective scrutiny.
His willingness to lie, misrepresent, obfuscate, forge and falsify in order to gain funds from Barings and its subsidiaries to support his losses.
Management in London was ignorant about the specific operation of the Singapore office, emphasizing profit to the exclusion of all else.
In Rogue Trader Leeson identified ignorance as a key factor:
People at the London end of Barings were all so know-all that nobody dared ask a stupid question in case they looked silly in front of everyone else.
This is a compelling observation. Few people at the time really understand what Leeson or his team of traders actually did – the mechanics and functioning of the derivatives market being relatively technical and specialized. The complexity of the trading operation in Singapore explains, in part, why nobody within senior management wanted to assume ownership of the operation or oversight of Leeson and his team. To compound the problem, nobody senior within the bank would admit their benightedness, for fear of ridicule. Fraud and incompetence thrive when management is uninformed, wilfully ignorant or just disinterested.
London empowered the Singapore office, which, for a period, became ostensibly the most profitable division of the entire bank. In this heady atmosphere, control and oversight were deemed irrelevant. As laissez-faire prevailed, Leeson went berserk.
fig1_2
Figure 1.2 Nick Leeson – inside the firewall (EMPICS/AP)
To return briefly to some of the premises with which this chapter began:
The perception of risk in many organizations is often biased, ill-focused or based on unfounded presumptions.
At no time, until he went on the run in February 1995, did senior management at Barings perceive Nick Leeson to be a risk. In fact, quite the opposite; for most of his career in Singapore, Leeson was considered to be a star performer.
Security efforts are disproportionately expended on combating external threats whilst the gravest potential risks to business continuity reside within the firewall.
Leeson was a trusted employee of Barings Securities (Singapore) Limited and had uninhibited access to systems and processes. As a result he had the opportunity to commit devastating and irreparable damage.
Risk assessment methodologies fail to identify catastrophic risks because they rely upon generic formulae that are of marginal value when applied to highly specialized industries, sectors and operating environments. As a result, the corporate jugular vein (or Achilles heel) is rarely identified or defended.
Undeniably, the bank’s derivatives trading operation in Singapore was both novel at the time and highly specialized. The specific risks relating to the derivatives market were insufficiently analysed, assessed or understood. The detailed minutiae of the trading operation fell outside the parameters of any established risk assessment matrix or methodology. The catastrophic risk posed by Leeson was never identified, flagged or prioritized, and this jugular vein remained exposed until Leeson severed it and the bank bled to death.
Rule-based risk assessment methodologies, checklists and conventional audit strategies reflect the experience and prejudices of their authors, often ignore fraud or under-emphasize its potential impact, and often fail to address the risks associated with emerging technologies, products, methods or operations because they are neither current or updated.
In this instance, a rule-based risk assessment of the front and back office in Singapore should have identified and flagged the conflict of interest in Leeson’s various roles. Had such an exercise been undertaken the ensuing disaster might have been averted. It is, after all, an unassailable rule that the back offi...

Table of contents

  1. Cover
  2. Half Title
  3. Title Page
  4. Copyright Page
  5. Table of Contents
  6. List of Figures
  7. List of Tables
  8. Foreword
  9. Acknowledgements
  10. Introduction
  11. 1 Perception of Risk
  12. 2 Computer Fraud
  13. 3 Espionage, Intellectual Property Theft and Leaks
  14. 4 Password Misuse
  15. 5 Trash Risk
  16. 6 Wireless Risks
  17. 7 Sabotage, Extortion and Blackmail
  18. 8 Social Engineering
  19. 9 Risks with Personal Computers
  20. 10 Pornography
  21. 11 Anonymous Letters
  22. 12 Press Leaks
  23. 13 Incident Response
  24. 14 Ground Rules on Computer Evidence
  25. 15 Covert Operations
  26. 16 Analytical Modes
  27. 17 Investigative Resources
  28. 18 Computer Evidence in Court
  29. 19 Exit Procedures
  30. 20 Conclusion
  31. Appendices
  32. Glossary
  33. Index

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn how to download books offline
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.5M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1.5 million books across 990+ topics, we’ve got you covered! Learn about our mission
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more about Read Aloud
Yes! You can use the Perlego app on both iOS and Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app
Yes, you can access Information Risk and Security by Edward Wilding in PDF and/or ePUB format, as well as other popular books in Computer Science & Business General. We have over 1.5 million books available in our catalogue for you to explore.