Figure 1.
A new Federal regulation aimed at tackling white-collar crime has sobering implications for CEOs, information systems managers, and other senior management. Simply stated, the regulation holds the CEO and senior management responsible for crime involving their organization. Officials remain responsible even when the organization and its members are honest, and the crime clearly was perpetrated by intruders. Organizations are exposed to liability of up to $290 million and possible corporate probation for financial crime.
To prevent this liability, organizations need to prove a "good faith" effort at preventing and deterring criminal conduct on their networks through an "effective" security program. However, the most prevalent computer security system -- the password -- is considered by computer security experts to be largely ineffective. Organizations relying on computer passwords alone for security will carry heightened liability --and their managements carry heightened risk.
The CEO as Top Cop
The Federal Sentencing Organizational Guidelines define executive responsibility for fraud, theft and anti-trust violations, and establish a mandatory point system for Federal judges to determine appropriate punishment. They became effective in November 1991 and apply to every organization, including private, public, not-for-profit, labor unions, trade associations, government agencies, and pension funds.
Where organizational misconduct or offenses are found, the Guidelines state that "high level personnel"--including executive officers, directors, and functional managers who exercise a substantial measure of discretion on behalf of the organization--will be held liable for fines or imprisonment. Since so much fraud and falsifying of corporate data involves access to computer-based information, liability set forth under the Guidelines would extend to computer crime prevention as well.
What has stunned many executives is that the Guidelines' mandatory punishment could apply even when intruders enter a computer system and perpetrate crime. For example, a criminal outsider could create false payment data on the system, and yet the CEO could receive a fine for the crime that was perpetrated using the organization's computer system. The cunning defense attorney could effectively help "blame the victim" because, under the Federal Sentencing Guidelines, the organization holds the responsibility for preventing and deterring crime.
The Guidelines show that, like it or not, the CEO now has the job of top cop, and organizational managers are held responsible for the prevention of crime. Indeed, an ineffective information protection program itself has become a liability.
Incentives for "Good Faith" Crime Prevention
At the same time, the Guidelines create an incentive for productive crime prevention in our networked, dial-up world--where attempts at unauthorized access to financially valuable data are virtually inevitable. They enable judges to reduce mandatory punishment if an organization shows a "good faith effort" in preventing and deterring crime, among other criteria. A numerical tally of points indicates how greatly a judge can mitigate the fine or sentence. If the crime prevention program is viewed as "effective," the judge can lessen the Guidelines' mandatory punishments.
The Guidelines define a "good faith effort" as including:
Passwords Neither "Effective" Nor "Good Faith"
While system security from hardware and software vendors is for the most part acceptable, the weak link lies in user identification. When a user enters a network with just a password, all that is known is that someone is entering the network---however, it could be anyone! One needs only a glance at today's headlines to appreciate that single-factor, static passwords are not "effective" computer security.
Figure 1.
Figure 1 shows that a truly "effective" computer security program encompasses a pyramid of six steps, from defining corporate policies and procedures to auditing network access and activity. While all are important, computer security experts believe the user identification and authentication step is pivotal. If unauthorized users can masquerade as authorized users and gain access to networks or sensitive data, then all other security controls are rendered meaningless.
However, advances in computer security are raising the bar of what can be considered a "good faith effort". Newer, more effective methods of user authentication that are better able to protect, detect and report instances of unauthorized access are proliferating. As more organizations improve their computer security to address the inadequacies of password-only systems, the likelihood that the court will change its definition of "effectiveness" grows higher.
Two-Factor Authentication
In particular, the use of two-factor authentication represents a step-change in easy-to-use, reliable computer security. Such two-factor user authentication systems require two independent items: something you know, and something you possess.
The "known" entity is something secret known only to the user. The "possessed" item is an uncounterfeitable, independent ID authenticator. When used in conjunction these two factors vastly increase the reliability of positive end-user authentication over the classic password.
An example of a two-factor system from Security Dynamics uses a credit card-sized smart card the SecurID Card--to display a randomly generated, unpredictable access code that automatically changes every 60 seconds, and is unique to each user. To gain access to a protected environment, users enter a secret personal identification number (PIN) as well as the current access code displayed on the SecurlD Card. With the correct information entered, authorized users are allowed access, while unauthorized users--hackers and would-be trespassers--are systematically locked out. Each SecurID access code can only be used once, and only while displayed on the Card at that interval, thus eliminating any security threat from observation, eavesdropping or password stealing.
Such two-factor user authentication systems eliminate the risk of unauthorized users masquerading as authorized users, while at the same time retaining their ease of use by still requiring a simple, one-step logon procedure.
The Trend Is Clear
The Federal Sentencing Guidelines are just one of a number of legal and regulatory requirements today that imply an organization's responsibility for computer crime prevention. There is a clear international movement to fight white collar crime in financial dealings--which, of course, are heavily computerized. For more information on other measures see the list of references at the end of this paper.
The Federal Sentencing Guidelines imply multi-million dollar liability for any organization that owns a computer system. That extends to personal liability for all senior management, particularly for the CEO. Hefty personal losses, a tarnished public image, and even corporate probation could occur for those who rely on the old-fashioned single-factor, static password as their primary means of security.
What Should You Do to Prevent This?
Senior management must be informed about the impact of the new Federal Sentencing Guidelines and told that information protection is now considered as a management standard. Information systems professionals must realize they are playing on borrowed time with any system that is secured by only single-factor static passwords. At a minimum, they should develop a plan that addresses the inadequacies of their password-only systems by implementing two-factor user authentication. Every operational manager in charge of a major unit (e.g., sales, administration, finance) needs to review the adequacy of their information protection efforts--including security awareness training, policy and procedure requirements, and auditing capabilities, to assure a "good faith effort" is being made.
Unauthorized computer access has become so easy--and so tempting--in today's networked world that it is virtually inevitable in an organization's lifetime if that organization's networks are not properly protected. The Federal Sentencing Guidelines represent a wake-up call for senior executives and senior management to prepare for a violation, not only to restrict the damage--but provide the best insurance policy available under the law.
References:
The author, James M. Geary, is Vice President of Marketing & International Sales at Security Dynamics Inc., Cambridge, MA.
The author gratefully acknowledges Sanford Sherizen, Ph.D., president of Data Security Systems Inc., Natick, MA, and noted computer security expert, whose analyses contributed to this report.