CHAPTER V
DISCUSSION
The results of this thesis have addressed the goals and outcomes described in chapter one. The literature review showed that computer crime and abuse does have a
financial impact on organizations. Many examples and categories of crime were reviewed. The legal environment was summarized as was the literature relating to the security of the IBM AS/400 computer.It is a common belief that a great deal of computer crime and abuse is undetected or unreported. The literature review did not yield any cases of
computer crime or abuse involving the AS/400. The interviews revealed two cases. The literature review confirmed that computer crime and abuse often goes undetected or unreported. The survey to AS/400 users showed that 16% felt that they have been victimized by computer crime or abuse. An additional 11% were not sure if they have been victimized. More than 80% said they were not familiar with the state or federal laws governing computer abuse. The experts interviewed estimated that 75-90% of computer crime goes unreported. Although the AS/400 has the capability to be a very secure system, the AS/400 family of computers is not immune from computer crime or abuse.Everyone involved with computers should be aware that computer crime and abuse is a real problem that can affect any organization. The current literature offers
general information procedures for implementing or increasing computer security. The following recommendations are based on information received from the survey, interviews and literature review. Two levels of recommendations are listed below. The general recommendations are for all computer users, followed by AS/400 specific recommendations.General Recommendations
Data communications and computer hardware, operating system and
application software and user application data files are valuable
assets that need to be protected. Computer crime and
abuse can be prevented in many cases if precautions are taken
to protect the hardware, software and data assets.
The first general recommendation for all computer users and those managers responsible for
assets of an organization is to recognize the problem.
Increased awareness of the threat of computer crime and abuse
should yield to taking preventative actions. Current computer
security literature offers information for minimizing the threats. Pro-active,
preventative steps as outlined in computer security literature are
effective in combating the internal and external threats of
computer crime and abuse. Housing multi-user computers
in a limited access computer room, using modems that call back remote, fixed location users after checking a list of valid calling locations and
using unique user ID's and passwords are examples of basic,
preventative security. Financial and human resources
may need to be allocated to develop and maintain computer security policies and procedures.
The second general recommendation is to provide adequate backup copies of important data files and programs. It is important for most computer users to be able
to recover quickly from any interruption of service. Making routine backup copies of data files and programs is strongly recommended. Human error, natural disaster, fire, smoke, water or damage caused by a hacker can destroy valuable data files and programs in seconds. Adequate backup will minimize the recovery time.The third general recommendation is to strengthen the laws relating to the unauthorized access of a computer system. Currently, under Minnesota law,
unauthorized access is a misdemeanor. In general, law enforcement officials interviewed felt the laws could be clarified and strengthened.The fourth general recommendation is for organizations to prepare internal policies that address the prevention of computer abuse. Upper level management in
the areas of human resources, information technology and finance need to establish guidelines that address the proper use of computer hardware, software, privacy, and security.The following recommendations are designed for those responsible for security of AS/400 systems.
Recommendations for AS/400 users
Managers of AS/400 systems should consider taking the following steps to minimize the risk of computer crime and abuse. This list, based on information
obtained from key informant interviews, survey results, and literature review, was developed to provide a minimum level of security. Additional security features, as outlined in the IBM AS/400 reference manuals, can be implemented for environments requiring maximum protection such as financial institutions, military sites and government contractors.Password Protection
- Use passwords, set system security, system value QSECURITY to 30 or higher. This will require passwords and provide resource protection.
- Instruct users to memorize passwords, do not post them on or near workstations.
- Ensure that every users has a unique user ID. Avoid sharing user ID's.
- Require a minimum password length, QPWDMINLEN, of four.
- Require password changes quarterly, set QPWDEXPITN to 90.
- Ensure that all IBM supplied passwords, including those for the security officer (QSECOFR) and the service technicians (QSERV), are changed immediately after implementing password security.
- Immediately disable or remove passwords from former employees or employees that transfer to another area. Modify resource access as employee duties change.
Operating Procedures
- Set the maximum number of sign on attempts, QMAXSIGN, to three.
- Vary off (disable) the workstation and disable the user ID if the maximum number of sign on attempts is exceeded by setting QMAXSGNACN to three.
- Review all system security system values. Develop an understanding of the options that are available.
- Use code reviews before allowing programs to be placed in a production library.
- Restrict access to production libraries.
- Use call-back modems when possible.
- Develop and routinely test a disaster plan. |
Auditing
- Use security audit, set QAUDLVL to *SECURITY.
- Participate in an annual audit of management information systems.
Backup Protection
- Backup libraries on a regular basis. Ensure that there are adequate off-site backups of your data and program libraries.
Physical Protection
- House the AS/400 in a limited access computer room.
- Remove and secure IBM supplied the system control keys.
- Use an uninterruptible power supply.
- Use smoke, fire and water detectors in the computer room.
Personnel
- Check references on all job candidate finalists. Do a criminal background check on those with unlimited access or those responsible for sensitive or financial data.
- Provide training, if required, for the security officer and backup security officers.
- Ensure that backup security officers are available.
- Instruct end-users in methods of preventing, detecting and reporting computer crime and abuse, such as, reporting unusual changes in data.
There are many sources of information that discuss IBM AS/400 security. The materials from IBM are very good. The Security Concepts and Planning manual is
recommended. Also, the Midrange Computing's video tapes, authored by Wayne Evans are very helpful.Recommendations for Further Study
There are many areas that can be studied to develop a deeper understanding of this and related topics. In addition to the general topics of computer crime and abuse,
AS/400 security and the other areas studied for this thesis, related areas for study are telecommunications crime and abuse, growth of cellular phone crime and abuse and issues using on-line computer services.The literature often did not tell the entire story. One piece of information that is usually missing is the vendor of the victim's computer and/or information relating to
the operating system. If this information was available, additional analysis of past cases may yield information that could lead to more secure systems, with specific recommendations for certain operating systems.This study yielded two examples of computer crime and abuse involving the IBM AS/400. Additional literature review, larger surveys or additional interviews may produce information that would help focus the recommendations presented here.
At the present time, the AS/400 has the capability to be a very secure system if the security features are implemented and managed. Managers may not be able to prevent computer crime and abuse. Using the recommendations outlined above, managers will be able to minimize the risk of computer crime and abuse.
In summary, this thesis fulfilled the outcomes listed in chapter one: increased awareness of laws regarding computer crime and abuse, increased awareness to the
numbers and type of problems reported and measuring the Twin Cities area AS/400 users awareness to computer crime and abuse issues. The thesis culminated in recommendations to organizations to minimize the risk of exposure of computer crime and abuse. The primary limitation of the study was that the number of interviews completed was less than the original plan. Also, a larger survey population size, involving additional geographic areas may have produced differing survey results.In an effort to increase the awareness of this thesis topic, I have given presentations at Minneapolis Technical College. If possible, I would like to deliver a
presentation at QUSER, the Twin Cities AS/400 user group and at COMMON, the national AS/400 user group. Finally, I plan to make portions of this thesis available on the Internet.
