§ 7.08 Computer and Information Security Plans

• Jurisdiction: United States
• Publication year: 2020

§ 7.08 Computer and Information Security Plans

[1] Introduction

In order to reduce the risk of becoming the victim of a computer intrusion that can result in the denial or computer service, the loss of confidential information, or expose a company to liability, companies should implement a computer and information security program. According to Ernst & Young's Global Information Security Survey 2003, many organizations fail to adequately protect their digital assets by investing in information security. Companies often take no action until they have been the victim of a security branch and then compound their mistake by implementing a temporary "fix" that ignores their core business objectives.

By comparison, "[m]easured, proactive spending is less costly in the long run than reactive spending, which is often overspending in response to an incident."⁶²⁷ Indeed, nearly 60% percent of the organizations that responded to the survey indicated they had never calculated a return on investment for information security spending.

Apart from not implementing comprehensive computer security programs, many companies believe losses caused by security breaches would be covered by their general liability insurance policies. The trend in most decisions however, is to deny coverage under general liability insurance policies for losses caused by breaches of computer security or from other cyberevents on the ground that damage or loss of data does not constitute tangible property.

For example, the Fourth Circuit upheld a ruling that computer data and software were not tangible property covered under a general liability insurance policy.⁶²⁸ AOL brought an action seeking a declaration that its insurance company, St. Paul, had a duty to defend against claims brought against AOL alleging that Version 5.0 of its Internet access software had damaged their computers. The policy at issue defined "property damage" as "physical damage to tangible property of others, including all resulting loss of use of that property; or loss of use of tangible property of others that isn't physically damaged."

The court rejected AOL's argument that damage to software is physical damage to tangible property. The court relying on the usual and ordinary meaning of "tangible"⁶²⁹ and "tangible property,"⁶³⁰ distinguished between the "physical magnetic material" on a computer hard drive that "retains data, information, and instructions" which is tangible property and the "data, information and instructions, which are codified in a binary language for storage on the hard drive," and which is not tangible property:

"Instructions to the computer and the data and information possessed by it are abstract ideas in the minds of the programmer and the user. The switches and the magnetic disks are media, as would be paper and pencil. Loss of software or damage to software thus is not damage to the hardware, but to the idea, its logic, and its consistency with other ideas and logic. Of course, without any code and instructions, the hardware consists simply of millions of electronic switches, circuits, and drives that can be turned on or off but that cannot function as a computer. To a user, such a computer would be 'dead.' But regardless of whether the software is rendered unusable, the hardware remains available for instructions and recording."

By analogy, when the combination to a combination lock is forgotten or changed, the lock becomes useless, but the lock is not physically damaged. With the retrieval or resetting of the combination—the idea—the lock can be used again. This loss or alteration of the combination may be a useful metaphor for damage to software and data in a computer. With damage to software, whether it be by reconfiguration or loss of instructions, the computer may become inoperable. However, the hardware is not damaged. The switches continue to function to receive instructions and the data and information developed on the computer can still be preserved on the hard drive. While the loss of the idea represented by the configuration of the computer switches or the combination for the lock might amount to damage, such damage is damage to intangible property. It is not damage to the physical components of the computer or the lock, i.e., to those components that have "physical substance to the senses."⁶³¹

Thus, according to the court, since the insurance policy covers "physical damage to tangible property," it does not include damage to computer data.⁶³²

The overall goal of such a plan is to create an understanding among employees that computer and information security is essential to the survival of the company. To accomplish this, at a minimum, the plan should describe the corporation's overall security objectives, identify critical assets, provide for risk assessment, assign employee responsibility and accountability, and plan for disaster recovery (i.e., have a backup plan if systems or data are compromised). It should also provide guidelines on whether to contact law enforcement. Corporate security is a question of balance. Too little security may leave a company vulnerable but an overemphasis on security may interfere with the company's business. The challenge is to find a balance between security and business.

[2] Types of Attacks

In preparing to meet the danger and risks posed by computer crime, it is essential that organizations first have an understanding of the type of threats that exist and possible sources of such attacks. The most publicized form of computer crime is where a hacker uses the Internet to attack a company's computer system. While it is true that since most companies are now connected to the Internet, a hacker will often use the Internet to gain access to a company's computers. A computer hacker can launch an attack over a local area network (LAN), or may even gain local access to a computer which may, in fact, pose the greatest danger to a company.

[a] Internet

Attacks over the Internet involve compromising a machine by using the Internet as path into a remote host. Some of the more common Internet attacks include the following: (1) coordinated attacks; (2) session hijacking; (3) spoofing; (4) relaying; and (5) Trojan horses or viruses.⁶³³

[i] -Coordinated Attacks

Unlike conventional crimes in which the participants, generally, have to be in the same place or at least in close proximity to coordinate the commission of a crime, the architecture of the Internet permits users from all over the world to coordinate and perform an attack on a target. This greatly increases the pool of possible accomplices and it makes it far easier for a hacker to find other like-minded persons who do not even have to know each other to coordinate an attack and do not even have to be located in the same country.

[ii] Session Hijacking

In some instances, it is easier for a hacker to sneak in as a legitimate user, rather than break into a system directly. In session hijacking a hacker locates an established online session and then takes over that session from the legitimate user who had gained access and authentication. Once a user is logged on, a hacker can hijack the session and stay connected for several hours—plenty of time to gain additional access or plant backdoors.⁶³⁴

[iii] Spoofing

Spoofing is a term that describes the act of impersonating or assuming an identity that is not the user's. Spoofing takes advantage of the design of many computer systems that are engineered to permit access and communication based on information such as Internet Portal addresses.⁶³⁵ The intent of the spoofer is to take advantage of this trust relationship. In the case of Internet attacks, this information can be an e-mail address, user identification, Internet Portal address, etc. For example, in the case of Internet Portal spoofing, a hacker changes his Internet Portal address so that he appears to be someone else. Accordingly, when the victim replies to that address, the reply goes to the phony or spoofed address, not the attacker's real address.

[iv] -Relaying

In most cases, when a hacker breaks into a network or a computer and launches various attacks like e-mail spoofing, the hacker does not want the attack to be traced back to him. There are several methods that a hacker can use to hide his tracks, including "relaying" which is where a hacker relays or bounces his traffic through a third party's machine so that the attack appears to have come form a third party and not from him. This makes it more difficult for the victim company to respond to the attack if it cannot identify the source of the attack. A popular type of relaying involves connecting to another individual's e-mail system and using that user's computer to send e-mail to another party.⁶³⁶

[v] Trojan Horses

Trojan horses can cause extensive damage because victims are not aware that their system has been compromised. A common type of a trojan horse is an e-mail message that appears benign to the recipient and may even include an enticement...