Chapter 2: The Legal Environment and Its Impact on Information Technology

IT auditing, control, and security constitute one of the fastest-growing fields in technology
today. The advancements in IT have resulted in bringing to the forefront public concern on
issues of security and privacy that were once only of interest to the legal and technical expert
but today are topics that affect virtually every user of IT. With this concern has come federal and
international laws which businesses and the public must comply with. Therefore, business must
not only comply with organizational policies and procedures but any governing laws which they
must be in compliance with as a part of doing business locally or globally. We monitor for
compliance with organization policies and procedures but we must also be cognizant of laws
that protect and govern our business.

IT Crime Issues

The IT explosion has opened up many new gateways for criminals. Since the integration of
computer into business, organizations have bad to safeguard their intellectual assets against
computer crime. The 2009 Internet Crime Report states that From January 1, 2009, through
December 31, 2009, the Internet Crime Complaint Center (IC3) Website received 336,655
complaint submissions. this was a 22.3% increase as compared to 2008 the total dollar loss
from all referred cases was $559.7 million up from $264.6 million in 2008 FBI and NCCC
reports indicate that less than 10 percent of computer fraud crimes are reported. this is largely
due to the public embarrassment companies face and potential negative press such incidences
receive. Just a glance at the U.S. Department of Justice Website for a list of recent computer
crimes gives a sense of vulnerability.

There are three main categories of crimes involving computers. These crimes may be committed
as individual acts or concurrently. The firzt of these is where the computer is the target of the
crime. Generally, this type of crime involves the theft of info& mation that is stored in the
computer. This also covers unauthorized access or modification of records. Two specific crimes
that can result directly from targeting the computer are techno-vandalism and techno-trespass.
Damage resulting from unauthorized access is commonly called techno-vandalism. Techno-
trespass occurs when the unauthorized access Occurs. The most com-mon way to gain
unauthorized access is for the criminal to become a "super-user" through a backdoor in the
system. The backdoor in the system is there to permit access should a problem arise. Being a
super-user is equivalent to being the system's manager and it allows the criminal access to
practically all areas and functions within the system. This type of crime is of the greatest
concern to industry.

The next general type of computer crime occurs when the computer is used as an instrument of
the crime. In this scenario, the computer is used to assist the criminal in committing the crime.
This category covers fraudulent use of automatic teller machine (ATM) cards and machines and
identity, credit card, telecommunications, and financial fraud from computer transactions. Until
2001, the most publicized example of this type of crime was the cloning of cellular phone
numbers.

In the third category, the computer is not necessary to commit the crime. The computer is
incidental and is used to commit the crime faster, process greater amounts of information, and
make the crime more difficult to identify and trace. The most popular example of this crime is
child pornography. Owing to increased Internet access, child pornography is more widespread,
easier to access, and harder to trace. IT helps law enforcement prosecute this crime because
the incriminating information is often stored in the computer. This makes criminal prosecution
easier. While criminal is savvy, the computer is programmed to encrypt the data or erase the
files if it is not properly accessed. Thus, the field of computer forensics and computer security
are opening new job opportunities for audit and security professionals who use their skills to
capture the evidence.

Organizations such as the International Technology Law Association (www.itechlaw.org),

Protection against Computer Fraud

In light of the lack of effective legislation in place currently but defense against co fraud is a
good offense. IT auditors should alert their clients to the dangers that are present. There are
several ways they can protect their clients from computer fraud. This is generally in form of
controls, firewalls, or encryption. The combined use of these methods will certainly help to
reduce the risk of unauthorized access to the IS.

The FBI's National Computer Crime Squad has the following advice to help protect against
computer fraud:

Place a log-in banner to ensure that unauthorized users arc warned that they may be
subject to monitoring.
Turn audit trails on.
Consider keystroke level monitoring if adequate banner is displayed. Request trap and
tracing from your local telephone company.
 Consider installing caller identification.
Make backups of damaged or altered files.
Maintain old backups to show the status of the original.
Designate use person to secure potential evidence. Evidence can consist of rape backups
and printouts. These pieces of evidence should be documented and verified by the
person obtaining the evidence. Evidence should be retained in a locked cabinet with
access limited to one person.
Keep a record of resources used to reestablish the system and locate the perpetrator.
Encrypt files.
Encrypt transmissions.
Use one-time password (OTP) generators.
Use secure firewalls.

The explosion of the information age has created many opportunities for improving business. It
has also created more opportunities for criminals. Six years ago. The International Trade
Commission reported that computer software piracy is a 54 billion-a-year problem worldwide.
Three years ago, experts believe that software piracy costs the computer industry more than
511 billion a year and software thefts drain the U.S. economy of jobs and wages. Others
estimate that there is one illegal copy of each computer software program for every two
legitimate copies. Organizations such as the Business Software Alliance, Software Publishers
Association, Institute of Internal Auditors and the Information Systems Audit and Control have
been instrumental in raising the awareness to this type of crime.

Computer Fraud and Abuse Act

The CFAA was first drafted in 1984 as a response to computer crimes. The government' to
network security and network-related crimes was to revise the act in 1994 under the Abuse
Amendments Act to cover crimes such as trespass (unauthorized entry), exceeding authorized
access, and exchanging information on how to gain gals. Although the act was intended to
protect against attacks in a network environment, abo have its fair share of faults. The act
requires that certain conditions needed to be present for the crime to be a violation of the
CFAA. Only if these conditions arc present will the crime fall under violation of the CFAA. The
three types of attacks that are covered under the act and the conditions that have to be met
include

Fraudulent trespass. This is when a trespass is made with the intent to defraud that
results in both furthering the fraud and the attacker obtaining something of value.
Intentional destructive trespass. This is a trespass along with actions that intentionally
cause damage to a computer, computer system, network, information, data, or program,
 or results in denial of service and causes at least $1000 in total loss in the course of a
year.
Reckless destructive trespass. This is when there is the presence of trespass along with
reckless actions (although not deliberately harmful) that cause damage to a computer,
computer system, network, information. data, or program. or results in denial of service
and causes at least $1000 in total loss in the course of a year.

Each of these three types of definitions is geared toward a particular type of attack. Fraudulent
trespass was a response against crimes involving telephone fraud that is committed through a
computer system, such as using a telephone company computer to obtain free telephone
service. This condition helps prosecute individuals responsible for the large financial losses
suffered by companies such as American Telephone & Telegraph (AT&T) as mentioned earlier.
Telephone toll fraud has snowballed into over a billion dollars a year problem for the phone
companies.

The other two usually apply to online systems and have been implemented to address problems
of hackers or crackers, worms, viruses, and virtually any other type of intruder that can damage,
alter, or destroy information. The two attacks are similar in many ways. but the key in
differentiating the two are the words "intentional," which would, of course, mean a deliberate
attack with the intent to cause damage. whereas "reckless" can cover an attack in which
damage was caused due to negligence. Penalties under Section 1030(c) of the CFAA vary from t
year imprisonment for reckless destructive trespass on a nonfederal computer to up to 20 years
for an intentional attack on a federal computer where the information obtained is used for "the
injury of the United States or to the advantage of any foreign nation" (i.e.. cases of espionage).