Business / Hacking: Implications For Computerized Accounting Information System
Hacking: Implications For Computerized Accounting Information SystemThis essay Hacking: Implications For Computerized Accounting Information System is available for you on Essays24.com! Search Term Papers, College Essay Examples and Free Essays on Essays24.com - full papers database.
Autor: anton 25 November 2010
Words: 2724 | Pages: 11
IMPLICATIONS FOR COMPUTERIZED ACCOUNTING INFORMATION SYSTEM
Along with the growth of computerized accounting information system (CAIS), the threats to the security of these systems have also grown. One such threat is hacking. In the recent years hacking has become a serious concern for businesses. Although, most hackers claim that they indulge in this activity for intellectual challenge, this is not always the case. In this paper we learn that hackers attempt to bypass the security mechanism of information systems not only for the thrill of learning, but also for the malicious intent of gathering information for gain.
Hacking is commonly used to refer to forms of trespass against a computer belonging to someone else. As per Infosec, a website devoted to information security â€“ â€œHacking means illegally accessing other people's computer systems for destroying, disrupting or carrying out illegal activities on the network or computer systemsâ€. Digitalguards defines it as, â€œUnauthorized use, or attempts to circumvent or bypass the security mechanisms of an information system or networkâ€.
At first, "hacker" was a positive term for a person with an expertise in computers who could push programs beyond what they were designed to do. Hacking has been around pretty much since the development of the first electronic computers. In 1960s, the first computer hackers emerged at MIT. University facilities with huge mainframe computers became breeding ground for hackers. In 1970s, phreaks broke into phone networks to make free calls. In the next decade, phone phreaks began to move into the territory of computer hacking, and the electronic bulletin board systems (BBSs) came into being. Hacking groups began to form. Among the first were Legion of Doom in the United States, and Chaos Computer Club in Germany. In the last decade, with the advent of internet, hackers moved all the hacking related information from old BBSs to new hacker Web sites. The face of hacking changed rapidly with easy access to information and plug-and-play kind of hacking tools over the internet. (PC World, 2001)
There are many techniques that hackers use to illegally get into a computer. The most common ones defined in Wikipedia are as follows:
Virus: This self replicating program behaves in a way similar to the biological virus. It spreads by inserting copies of itself into other executable code or document.
Worm: Worm is also a self-replicating program like a virus. The difference between a virus and a worm is that a worm does not create multiple copies of itself on one system and that it spreads itself through computer networks.
Trojan horse: These are viruses that fool a user into downloading and/or executing them by pretending to be useful applications. These programs when used open a back door for the intruder to access the computer system.
Vulnerability scanner: It is used by the hackers to quickly check computers on a network for known weaknesses.
Sniffer: It is an application that captures passwords and other data while it is in transit either within the computer or over the network.
Exploit: It is a piece of software that takes advantage of a bug, or vulnerability, leading to privilege escalation or denial of service on a computer system.
Rootkit: When a hacker gets full access to a computer system, this collection of software helps him conceal the fact that the computer's security has been compromised. Root kits may include replacements for system binaries so that it becomes impossible for the legitimate user to detect the presence of the intruder on the system by looking at process tables.
Social engineering: It is a term given by hackers to any kind of trick that is used to get information from a worker of a targeted firm. At its basic level, social engineering exploits an understanding of human nature and people's natural openness and helpfulness when they are asked for help and advice
Hacking has definitely changed in the last few decades. Earlier, it was more of an art form, and learning how systems worked. The hackers then had more know-how of what they were doing. Thus, there was less unintentional damage to system being hacked. While now, the youngsters pick up pre-written hacking programs and start using them. These borrowed scripts may have bugs and may cause more damage than planned (Zetter and Brandt 2005). Counterpane Internet Security Inc., observed that in 2004, 41 percent of attacks on its clients were unauthorized activity of some kind, 21 percent were scanning, 26 percent were unauthorized access, 9 percent were DoS (denial of service), and 3 percent were misuse of applications. Computer crime is another recent trend that is expected to continue. Schneier (2005) says, â€œHacking has moved from a hobbyist pursuit with a goal of notoriety to a criminal pursuit with a goal of moneyâ€.
Motives behind hacking
The worms and viruses unleashed by hackers cost businesses billions of dollars in damage. Back in 2003 Microsoft created a $ 5 million fund to reward those who help capture hackers. But, I believe it is more important to identify and reduce the motives behind hacking. These motives can be varied. Australian Institute of Criminology (Krone 2005) lists those as:
Money: This may include transferring funds electronically, stealing valuable data, stealing intellectual property (piracy), extortion etc.
Entertainment: This category hacks for personal pleasure
Intellectual Challenge: Hackers in this category do it for intellectual challenges, not for outside recognition.
Entrance to social groups/status: Some people do it to be part of the various groups/communities of hackers. These â€œonline communities can be very absorbing and not only provide peer recognition, but also the tools to hack through the sharing of knowledge, skills, techniques and technologyâ€.
Vengeance: Some hackers are motivated by individual grievances against individuals or companies.
Classes of hackers
There are generally two classifications. The bad guys are called â€œBlack Hatsâ€ and the good guys are â€œWhite Hatsâ€. White Hats are also known as Ethical Hackers.
The Irish Honeynet Project has been actively researching and monitoring the hacker community in Ireland for nearly two years. The hacker taxonomy tends to be split into four distinct groups. (1) Script Kiddies are mainly young males who download pre-written, pre-compiled scripts and intent on vandalizing or disrupting systems. (2) Crackers are the professional criminals â€“ part of an organized groups who make a living from breaking into computer systems and selling the information. (3) Coders, also called 'virus writers' perceive themselves as the elite of the blackhat community. Although they may write the code themselves, they tend not to use it themselves leaving this to the script-kids. (4) Old School Hackers(White Hats) tend to see themselves as hackers in the original sense of the word - through a clever trick (the hack), getting a piece of technology to perform a task it was never designed to do or to overcome its design limits (Murphy 2004).
Hackers attack the weakest link in a system. These weaknesses are generally well known and documented. For example, if there are known Windows operating systems vulnerabilities and the corresponding updates from Microsoft are not installed, these machines are at risk. Unprotected computers are another source for hacking. An older, ignored computer is generally used to get into the network because the probability of such a PC having all the updates is low. Similarly a walk-up PC may be ignored as nobody â€˜ownsâ€™ it. Not encrypting important data provides another weak link. Also, if the same data on a server is encrypted but its remote backups is not, then the hacker would attack the lesser protected off-site machine (Zetter and Brandt 2005).
Humber (2003) talks about an incident when police in Ontario, Canada hired a security engineer to test the robustness of their security system. It was found that all the sensitive information like â€œCanadian Police Information Centre data, Interpol, criminal databases and records were traveling across the network unencrypted in plain textâ€. The same could happen to a CAIS if the security controls are not in place. Critical information may fall into wrong hands if an intruder hacks in.
It is also important to know that threats to computer security are more internal than external. There are abundant instances of cyber crimes where the unsatisfied/disgruntled employees have done the damage to the companyâ€™s information systems, either while they were employed or after being discharged, by hacking into the network. Shaw (1999) gives an example of a systems administrator who caused damage to the accounting servers and backup tapes. The company had to replace the servers at extraordinary expenses.
Stevens (1998) observes that 70-80% security issues are related to employees while only about 5% are because of outside hackers. As depicted in Figure 1, Luehlfing (2000) makes similar observations.
Figure 1: Threats to computer security (Luehlfing, 2000)
Measures should be taken to identify unsatisfied employees and addressing their concerns. By doing so, many potential hacks can be avoided. In a survey of 600 companies, conducted by Yankee group, in North America and Western Europe, it was found that in 2004, 50% of security problems originated from internal sources as compared to 30% in 2003. These figures indicate a general trend towards internal threat (Li 2005).
Earlier this year, in a hacking incident, presumed to be the largest data security breach to date, the hackers stole 40 million client records of CardSystems Solutions, a credit card processor. Following this incident, two of its main clients Visa and MasterCard announced to cut ties with it. This incident forced the company out of business and it is now in the process of being acquired by Solidus Networks Inc.
Another crime that made into the news was committed by Alexey Ivanov. He operated from Russia and hacked into dozens of computers throughout the US, stealing usernames, passwords, credit card information, and other financial data, and then sxtorting money from the victims. He was found to be responsible for a loss of $25 million (U. S. Department of Justice 2003)
A study by Casabona (1998) estimates computer fraud to run up to 9 billion a year in the US. These are the numbers when most computer crimes go unreported because companies fear bad publicity and future attacks by hackers.
However, a recent case published in Lawyers Weekly USA (2005) proves that even if the crime is reported it very difficult to show evidence against the accused (hackers) and they go unpunished. In this case the former employees allegedly accessed company computers in order to set up a competing business but the employer failed to show evidence and thus the court upheld a judgment in favor of the former employees.
The threat to computer security is now getting more attention. There are laws that have â€œcreated greater accountability standards for senior-level executives, who now must verify that the company's security systems are up to snuffâ€ (Grebb 2005).
Abu-Musa (2002a) comes up with an integrated definition of Computerized Accounting Information Systems security. He maintains that the security should cover Physical and Data security (Figure 2). The first line of security is Physical. It should be ascertained that the computers are safe and only the authorized personnel have physical access to them. The other aspect that needs to be protected is data/information. If an unauthorized person gets into the network/system, then depending on what rights he has, the integrity, accuracy, availability, authenticity and validity of the data is at his discretion.
Figure 2: The Objectives of CAIS Security (Abu-Musa 2002a)
To safeguard the computer systems, it is very important that right controls are in place. Zorkadis and Donos (2004) suggest that Biometrics techniques such as fingerprint verification can play an important role in securing CAIS. This would eliminate remembering passwords. Lewis (2005) recommends choosing an accounting software package with proven, built-in security features that complement other protective measures within the IT system.
Korvin et O. (2004) proposes a model based on fuzzy set theory to assess risks due to threats to internal controls in a computer-based accounting information system. They maintain that â€œsuch risk assessment is essential in making appropriate decisions about establishing new internal control policies and procedures that may be necessary to protect the integrity and security of the information systemâ€.
Abu-Musa (2002b) did an extensive survey of the Egyptian banking system and came up with recommendations for the security of a computerized accounting information system. The results suggests
â€¢ Restricted access to sensitive data to the authorized employees
â€¢ Background check for personnel handling critical data; this can help identify a potential intruder.
â€¢ Confidentiality agreements between the computer users and the employers.
â€¢ Remote connection to a CAIS should be secure to prevent unauthorized access.
â€¢ Backup of electronic data should be made and copies kept off-site.
â€¢ Encrypt the data to reduce the chance of unauthorized access. Only designated personnel should have decrypting information.
â€¢ A complete independence of individuals who are responsible for controlling physical access from those responsible for programming, system software, and accounting control functions should be considered and implemented.
â€¢ If normal access controls to the system are bypassed in an emergency, tools should be in place to reinstate the security. This will help prevent, investigate and identify any unauthorized changes to data files.
â€¢ Prevent the unauthorized use of high level programming languages, or even attempts to use them.
Hacking has been around from the inception of computers and we do not see it going away. Not to be a pessimist, but all the above information reinforces this fact. We learned that it is difficult to identify if an unauthorized activity has taken place. The hacking attacks that are identified may go unreported because of various reasons. The reported hacking attacks are difficult to prove as there is not much evidence left behind. If a hacker is convicted of the crimes, the punishment and/or fines are not substantial.
In a scenario like this, it is imperative that a CAIS has all the appropriate controls in place. These controls should be regularly reviewed and updated to include advancements in the information security technology.
Abu-Musa, A.A. 2002a. Security of computerized accounting information systems: A theoretical framework. Journal of American Academy of Business, Cambridge. Hollywood: Sep.Vol.2, Iss. 1; pg. 150, 6 pgs
Abu-Musa, A.A. 2002b. Computer crimes: How can you protect your computerized accounting information system?. Journal of American Academy of Business, Cambridge. Hollywood: Sep.Vol.2, Iss. 1; pg. 91, 11 pgs
Brandt, A. and Zetter. K. 2005. Net Threats: Hacker Nation. PC World
Casabona, P and Yu, S.1998. Computer Fraud: Financial and ethical implications. Review of Business. Jamaica: Fall.Vol.20, Iss. 1; pg. 22, 4 pgs
Grebb, M. 2005. changing OF THE guard. USBanker. New York: Jul.Vol.115, Iss. 7; pg. 40, 3 pgs
Humber, T. 2003. Is your HR system safe from hackers?. Canadian HR Reporter. Toronto: Nov 3. Vol.16, Iss. 19; pg. G3.
Korvin, A., Shipley, M. F., and Omer, K. 2004. Assessing risks due to threats to internal control in a computer-based accounting information system: a pragmatic approach based on fuzzy set theory. Intelligent Systems in Accounting, Finance and Management. Chichester: Apr-Jun.Vol.12, Iss. 2; pg. 139, 14 pgs
Krone T. 2005. Hacking Motives. Australian Institute of Criminology
Lawyers Weekly USA Staff. 2005. Lawyer's Weekly USA. Boston. 3rd Circuit rules company can seek injunction for ex-employee's hacking of computers: Nov 21,. pg. 1.
Lewis, B. 2005. IT Expertise Becoming a More Highly Prized Asset for Accountants Serving Small Business Clients. http://www.microsoft.com/smallbusiness/accountants/articles/it_expertise_becoming_a_more_highly_prized_asset.mspx
Li, Y. 2005. Companies Face System Attacks From Inside, Too. Wall Street Journal. (Eastern edition). New York, N.Y.: Jun 1. pg. B.1.
Luehlfing, M. S., Daily, C. M., Phillips Jr, T. J., and Smith, L. M. 2000. Defending the security of the accounting system. The CPA Journal. New York: Oct.Vol.70, Iss. 10; pg. 62, 4 pgs.
Murphy, C.2004. Inside The Mind Of The Hacker. Accountancy Ireland. Dublin: Jun. Vol. 36, Iss. 3; p. 12 (1 page).
PC World 2001. Hacking's History
Schneier, B. 2005. Attack trends. ACM Queue. New York: June.Vol.3, Iss. 5; pg. 52, 8 pgs.
Shaw, E. D., Post J. M., Ruby K. G. 1999. Inside the mind of the insider. Security Management. Arlington: Dec 1999.Vol.43, Iss. 12; pg. 34.
Stevens, M. G. 1998. How secure is your computer system?. The Practical Accountant. Boston: Jan.Vol.31, Iss. 1; pg. 24, 8 pgs
U. S. Department of Justice. 2003. Computer Crime and Intellectual Property Section. Russian Man Sentenced for Hacking into Computers in the United States: Press Release July. http://cybercrime.gov
Zorkadis, V and Donos, P. 2004. On biometrics-based authentication and identification from a privacy-protection perspective: Deriving privacy-enhancing requirements. Information Management & Computer Security. Bradford: Vol.12, Iss. 1; pg. 125.
Get Better Grades Today
Join Essays24.com and get instant access to over 60,000+ Papers and Essays