THE CPA AND THE COMPUTER
Security and the CPA
By Marc Niederhoffer
More than ever, companies need to commit money and resources to the protection
of their network systems. The 2001 Computer Crime and Security Survey, which included
responses from 538 computer security practitioners in various institutions, contained
some sobering figures:
85% of respondents detected
computer security breaches in the last 12 months.
64% acknowledged financial losses due to the breaches.
35% quantified their losses, a total of almost $400 million.
40% detected system penetration from the outside.
91% detected employee abuse of Internet access privileges.
94% detected computer viruses.
found that U.S. businesses spent only 0.02% of their top-line revenue on data
security and that 75% of business networks are wide open to hacking. Although
smaller companies seldom see themselves as targets, experts say attackers scan
entire networks and view any site as fair game.
A useful way to think of the
Internet is as a series of smaller networks that anyone can access. Corporations
or governments manage many of these smaller networks but no one has overall control.
There are opposing views as to what role the government should play. In the meantime,
nonprofit groups such as the Internet Society (www.isoc.org)
promote the cooperation and coordination of Internet applications and technologies.
Numerous online databases (e.g., www.anywho.com
and www.peoplefind.com) provide access to considerable amounts of information,
at no charge:
Names, addresses, phone numbers
(even many unlisted numbers), fax numbers, and e-mail addresses.
Location maps of any specified address.
High schools and college alumni.
For a fee, more information is available:
Residential addresses going back 10 years
Descriptions of property owned, past and present
Bankruptcies, liens, and judgments
With so much information available online, individuals are right to think they
need to take steps to protect themselves. Internet users should regularly delete
their browser’s history lists and memory caches and use a pseudonym and
alternate e-mail address when posting to newsgroups. They should consider using
an Internet privacy service, such as Zero Knowledge Systems (www.zeroknowledge.com)
or Anonymizer (www.anonymizer.com).
Before entering credit card or similar information into a website, one should
be certain that the website is secure. A secure site’s uniform resource
locator (URL) will begin with “https” instead of “http.”
Businesses need to safeguard the company’s networks, workstations, e-mail
systems, and software. A substantial loss in any of these areas could have a material
effect on the value of the company’s goodwill. Properly designed safeguards
will protect business data, customer lists, employee identities, bank data, proprietary
information, account numbers, and financial assets.
Security Threats and
Networks need to be protected from both outsiders (hackers and
crackers) and insiders (employees and other individuals with access to the network).
The industry defines hackers as individuals with extensive computing knowledge
that look for internal and external system holes, some for fun, others for a purpose.
Crackers are individuals that try to break into a system by guessing or cracking
user and system passwords. There are a variety of ways a hacker can attack a computer
Denial of service attacks prevent legitimate
users from entering a website. The most famous was the 1998 “Ping of Death”
attack that crashed a wide variety of machines at several large public companies.
Distributed denial of service attacks happen when a hacker
uses multiple computers to overload a network’s bandwidth. Yahoo was recently
shut down by such an attack.
Denial of access
to applications occurs when a hacker overwhelms a computer with requests for a
Viruses, one of the best known forms
of attack, rely upon destructive programs that infiltrate networks and workstations.
These attacks can bring systems down by damaging information and preventing software
from operating correctly. Recent viruses include Code Red, Love Bug, and the Love
Hackers use the following tools
to enter networks:
Trojan horse programs allow
hackers to enter a network through the e-mail system. When an infected e-mail
is opened, the hacker’s program can be executed.
Footprinting occurs when the hacker obtains information about a computing environment,
such as its IP address or domain, server, and Internet names.
Creating a secure network begins with the network architecture, which should
include the following:
of which passwords are the most common. Password policy should specify that passwords
based on actual words or names are not allowed. Strong passwords, which use upper
and lower case letters along with numbers, are recommended.
Encryption transforms an electronic message so that only a proper encryption key
can decrypt it. The main types of encryption are private key encryption, which
uses one key to encrypt or decrypt information, and public key encryption, which
uses two different keys. Although public key encryption provides greater security,
it is slower and costs more to maintain. The best approach is to use a public
key to exchange keys and authenticate the connection and a private key to encrypt
The proxy server can be a software
or hardware package that provides security by having the server look like the
originator of the point of request of information. It resides between the Internet
and a company’s internal network. Proxy servers have high administrative
requirements in larger networks.
hardware or software that act as a protective barrier around an internal network.
They keep track of connections and analyze incoming information and accept them
if they are in direct response to an active session. Certain types of firewalls
require skilled personnel to maintain them. Firewalls usually reside first in
the network design and are particularly important for high-speed, always-on connections.
Routers, somewhat similar to firewalls, allow or deny traffic
to their intended destination based on packet-level information.
A “demilitarized zone” is an area of a company’s
network that is separate from the local area network (LAN). This design allows
the company to set permissions for the web server and lock down the rest of the
A “dead zone” is a network
segment between two routers that is not running the TCP/IP (transmission control
protocol/Internet protocol) suite.
software, which should be updated regularly.
With the advent of the home office, many companies are creating virtual private
networks (VPN), which are used to communicate with remote sites, usually over
private leased phone lines. Information is kept secure, but the system is expensive
and slow. The current trend is to move the VPN to network lines; however, they
need to be properly designed to keep the information from being available through
Setting Security Policy
A company security policy should
establish employees’ use of the following:
E-mail, including a description of what messages can come in and go out (e.g.,
whether all incoming mail with executable attachments from unlisted e-mail addresses
Internet use (e.g., whether hosting
a personal website or usenet group is permitted)
Use of the company’s computers and network for playing games or storing
Use of business data (e.g.,
what information is and is not available for employees’ use).
The policy should define acceptable behavior and provide for adequate training
and a method of monitoring adherence.
systems fall into two basic categories.
internal detection systems (HIDS), whereby the HIDS reside on a particular host
and look for indication of an attack on that host.
Network-based internal detection systems (NIDS), where the NIDS reside on a separate
system that watches network traffic, looking for indications of an attack that
traverses that portion of the network.
an NIDS can be more cost-effective, an HIDS may be more appropriate for organizations
more concerned about legitimate information than about hackers.
Additional Reading (sidebar)
Marc Niederhoffer, CPA, is a partner
of Buchbinder Tunick & Co. LLP, and a member of the NYSSCPA Emerging Technologies
Paul D. Warner, PhD, CPA
Murphy Smith, DBA, CPA
Texas A&M University
CPA Journal is broadly recognized as an outstanding, technical-refereed publication
aimed at public practitioners, management, educators, and other accounting professionals.
It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting
professionals with the information and news to enable them to be successful accountants,
managers, and executives in today's practice environments.
CPA Journal. Legal Notices
Visit the new cpajournal.com.