Accounting and Intrusion Detection In a report issued by Paladin Technologies, Inc., entitled: "Security Metrics: Providing Cost Justification for Security Projects," 273 organizations were surveyed on the topic of security. The report illustrates in quantifiable terms the depth and reach of intrusion detection on the financial viability of the organization. The combined reported losses from the firms surveyed totaled $265.6 million in 1999. The highest loss categories were reported as follows:

Type of Loss

Estimated Dollar Value

Number of Respondents

Theft of intellectual capital

m

Financial Fraud

m

Sabotage

m

The average annual financial loss of firms surveyed was estimated at $40 million. Forty three percent of respondents were able to quantify financial losses, and seventy four percent were able to acknowledge financial loss. Ninety percent detected cyber attacks within the most recent twelve-month period and seventy percent reported serious breaches other than viruses, laptop theft, and employee abuse of net privileges. As for these categories, six hundred and forty three security professionals were surveyed regarding the types of attacks that they had identified or encountered. Of these, 25% identified external penetrations

27% identified denial of service attacks

85% detected computer viruses

79% detected employee abuses of Internet privileges (pornography access, downloaded pirated software, etc.)

In order to view these statistics in context, among those surveyed, 93% have www.sites:64% reported web site vandalism

43% conduct e-commerce: 60% of these reported denial of service

19% suffered unauthorized access or misuse in the last twelve months

32% did not know if there had been unauthorized access or misuse

35% acknowledged more than one incident

19% reported more than ten incidents

8% reported theft of transaction information

3% reported financial fraud

Losses of a financial nature are most likely to be immediately recognized by the accounting function. For public companies, direct fluctuations in stock price, financial fraud, declines in profitability and increases in expense levels will command the attention of accounting staff (as well as the CEO!). In addition, unauthorized access to sensitive financial data, such as levels of executive compensation, profit margins and financial forecasts could be disastrous to the reputation of an organization.

Effect of Intrusion Detection on the Accounting Structure

Intrusion detection poses various classes of threats to information security, each with their own types of ramifications. Among them are:

Disclosure (Snooping i.e., passive wiretapping and monitoring of communications)

Disclosure can result in the release of private information to various public sectors. An early release of financial results, real or false, could cause stock prices, for instance, to plummet. Depending on the situation, if released figures fall short of previously published forecasts, investors may withdraw funds, consumers may not invest in the stocks of the company, and products sales could even be affected.

Deception/Disruption

Modification (an example of passive wiretapping where the attacker injects something into a communication or modifies parts of the communication, sometimes called alteration)

Intercepting communications can have many adverse ramifications for a company. Internal communications can contain information regarding trade secrets, product secrets, competitive secrets, strategy and tactics, marketing plans, productions plans, and more. If this information is leaked to competitors and/or consumers, it can alter sales dramatically and have a lasting and irreversible impact on an organization's profitability.

Spoofing (delegation, whereby one asserts authority for another to act as an agent.)

Spoofing is when authority is delegated, either voluntarily or fraudulently, for one person to represent another. This often involves gaining access to that person's available resources. For instance, if the human resources manager is on vacation, and the assistant manager has obtained his or her password and has gained access to the files containing the lists of executive compensation. The assistant manager is not very good at keeping such secrets, and leaks the information to other people in the department. Soon, the information is circulating company-wide and beyond the organization's walls.

Denial of receipt

Conversely, the human resources manager may be trying to access the executive compensation file in order to process a quarterly bonus payment, but finds himself "locked out" of that directory for no apparent reason. The H.R. manager is on a deadline and it is now an emergency.

Usurpation

Delay

The delay of access can be as deadly to productivity as denial. Any process that slows down, is bogged down, or fails to deliver in a timely manner is costly. An example is when a system is running concurrent processes...

Certainly if an inordinate number of processes were submitted to the server at the same time it would be relatively easy to bog down the system. Or perhaps the customer service department is processing payments during the busy season, a priority activity, while the accounting department is processing financial reports for the CEO in preparation for an important board meeting, an equally important activity. Because of the sheer volume of payments, the CEO's request is tied up in queue.
Denial of Service (can be due to an attack or can be related to limits on resources. Inability to access is a security problem whether the origin is intentional (attack) or not.

When a denial of service attack is truly an attack, it would be characterized by the fact that nothing would be getting processed as opposed to having to wait an extraordinary amount of time. Also the number of requests to the system would be in abnormal proportions. A true denial of service attack would be intended to disable resources entirely and is insidious in nature.

The Role of Accounting in Intrusion Detection

When we think of intrusion detection, we don't often equate it with accounting. In most organizations, the accounting function is separate and apart from the information technology function. They have long since been considered different animals, but this is far from the truth. The impetus for the separation of functions is paved with solid reasoning and good intentions. It has been thought dangerous to allow a person or persons too much knowledge in more than one area of cross-functionality, as the potential for abuse becomes greater. When an employee has knowledge of the internal procedures of not one but two or more key operational departments, the access levels multiply exposure risk. Hence information technology and accounting lived at opposite ends of the corporate spectrum, and spoke to each other only when spoken to.

This stereotype is often painfully misunderstood and only reconciled in a costly, clean-up manner. Accounting is concerned with everything that touches money. And, regardless of what industry the business is in, at the end of the day its main goal in life, its sole purpose is profit. The technical infrastructure on which any organization operates is intrinsically intertwined with its financial viability. Accounting should be aware, at a minimum, of the risk for exposure inherent in its financial systems. Accounting should be cognizant of the necessary policies and procedures to prevent unauthorized access to sensitive financial data. In addition, other departments should be aware of the information that accounting is able to provide in the way of supporting material for analysis and cost justification models. Accounting has a present and historical record of the organization's resources and can provide accurate monetary values for those resources when called upon. In addition, when another department is considering an expansion, a security system or a measure that impacts the organization financially, accounting can provide subject matter expertise in contributing to the analysis.

Many companies consider accounting and finance one in the same. For the accounting aficionado, they are slightly different. Imagine the analogy which states that finance is the act of cooking a meal whereas accounting represents the ingredients that go into preparing that meal. Or to expound on the accounting analogy, accounting, like cement, is the foundation that must be poured before building a house. Accounting, then is the input for finance. And from the financial perspective, the only business we are or should be in is the business of making money. In order to effectively maximize profitability, the risk/reward relationships of a firm's technology choices must be closely scrutinized.

Traditionally, the function of accounting has been to record transactions that have already occurred for the purpose of financial reporting. The accounting structure, however is more complex. It consists of a system of checks and balances, and a policy framework that must be designed to protect some of the corporation's most sensitive and valuable information. Once accomplished through paper ledgers and journals, accounting today is done on computer systems, systems that are vulnerable to attack. The ramifications of security vulnerabilities, particularly with regard to accounting systems, are vast. While publicly held companies publish their financial position openly, any unwelcome early release of these figures can be detrimental to stock prices and company valuation, indeed its very viability. Misinformation can be equally dangerous and costly. Privately held companies are usually constructed this way in part because of the desire to keep financial records closely held, and unavailable to competitors.

For these reasons and more, accounting departments have become much more sophisticated than the days of recording debits and credits. Today, accounting involves more analysis and cost-based decision making. The accounting department will often be called upon to participate in cost benefit analysis, vendor selection and implementation of financial systems as well as decision making, budget approvals and oversight…