Question Regards of Security

Hi, I'm new here, and I have a question in regards of security topics. I have three questions that i need to know, since i dont know much in this topic, maybe some of you guys know what the answer are.

Here are the question;

1. Why is hte amount of involved in computer fraud are soo high, and what is it hard to find the culprit ?

2. Majority of criminal who commited computer fraud were insider, that is an employees of one's organization, what measures should we take to minimize that ?

3. What is the main obstacle in adopting Biometric technology for access control to IS's, and what is the advantage of using password over such technologies ?

I know those threee questions might seem newb, for most of you guys, but those questions confused me a lot. I hope you guys want to help me out and give me your opinion what the answer should be OR maybe give me good sites about all those.

Thank You

 

Hi asd and welcome to Wilders.

1. The amount of money involved is large as almost all monetery transactions are computerized [ie. funds transfer, eftpost, creditcard etc.]
The detection methods are always playing catch up to the various exploits used.


2. Remove access to sensative information to all non-essential employee's, if the buget allows employ a security specialist, Monitor the network usage and log the phone calls, internet conections etc.

3. Biometric technology [finger print recognition etc.] is a growing area of IT security, the main obsticle is cost and employee privacy issues [unions etc]
The benifits over passwords are great, it's alot harder to fake a finger print then to steal/copy a password. Passwords can be cracked/guessed.


Closed networks are a good idea, restricting only the PC's that must have net access, removing all CD drives, floppy drives etc. So that you only have workstations connected to a central server that is easier to monitor.

 

1. The fraudsters know what they are doing; they know the technologies they're dealing with and the methods used to track them down, so they learn how to slip under the radar. The ones that don't aren't around long enough to pose much of a problem.

2. I suppose that depends on what kind of things you are trying to protect. There's a lot of different methods and products for securing different things in different ways. It all depends on what you need to do, what you need to protect, and what you can sacrifice for security (time, money, functionality, etc) Generally speaking, securing your network/restricting access is the first major step (like Sweetie said.)

To ammend what Sweetie was saying, if you are using XP Pro, you should go through the Group Policy Editor (Start > Run: gpedit.msc), you can restrict access to all removable media, further limit access restrictions, and more. Turning on Auditing (in gpedit) can make it easier to track things down when something goes wrong, too. Win2000 has this kind of functionality as well, but it's not as easy.

I agree that it would be a good idea to hire a security expert. To truely answer your questions would require being able to see how your network is structured, how you use it, and what you need to protect.

 

Thank you guys ... That answered me a lot ... Sure .. i'll consider your opinion to try hire security expert for this kind of problem...

 

Answering this kind of questions can be hard, and I salute Sweetie(*)(*) for the neat answers.

There are some neat global information security surveys avalable from kpmg, E&Y and PriceWaterhouseCoopers. Just do a google search:

E & Y 2004
kpmg 2002
pwc 2004

I don't know if you posed the question because you're company is under threat of fraud, or if you're uncertain about that. In that case: it's not only an information security or IT issue. Your organization needs a thorough investigaton. The need for external experts seems high. I don't know from what country you're from and the urgency,so it's hard to point you anywhere else than to the Big Four accountancy firms.

Have an IT auditor check you systems and the alignment between business processes and infosystems.

Do you have a current security policy in order?