Can S.K.R.A.M. Support Quantified Risk Analysis of Computer Related Crime?
By Steve Frank
In Partial Fulfillment of the Requirements in the Honors Research Class at the Rochester Institute of Technology
February, 2003
Abstract According to some computer security specialists, a good approach to understanding and deterring computer and computer-related crime is achieved through understanding the skills, knowledge, resources, authority, and motive of a suspected offender. By carefully examining a particular suspect’s resume and past using the S.K.R.A.M. model, it is possible to determine their potential for committing a computer or computer related crime and to estimate the relative severity of an attack.
Chasing the Computer Criminals Information security has become a top priority for businesses, governments, and homeowners alike. It is with little surprise that as the Internet and computer usage throughout the world expands rapidly, accounts of computer crime rise as well. Catching computer criminals and preventing computer crimes, however, remains a very difficult task for both law enforcement and corporations. This is due largely in part to the fact that computer crime is constantly evolving (McQuade, 1998). Computer crime is difficult to fight because the methods, tools, and even the criminals themselves are constantly in flux. This constant evolution of computer crime serves as a barrier to understanding the true nature and extent of computer crime incidents. Even today, inadequate records about the extent of damages and number of incidents remain uncalculated. Even though the security community knows that computer crime is a costly and dangerous affliction to business, government, and citizens alike, it is kept busy playing catch up and responding to computer crime incidents as they happen. By remaining in their reactive mode the security community allows “bad guys” to stay ahead of the “good guys” despite intensive efforts to develop preventative and other measures to counter criminal techniques (McQuade, 2002). Ronald Mendell, in his book Investigating Computer Crime, states that “… law enforcement must adapt existing investigative techniques to the demands of “cyberspace.” (Mendell, 1998, p.V). One such method of investigating and preventing crime is criminal profiling in which an investigator tries to piece together the background and characteristics of a suspect. Criminal profiling gives investigators the priceless knowledge of determining the qualities and mindset of a criminal capable of committing a crime. With such knowledge
2
investigators can narrow their investigations to a subset of likely candidates, as well as decide how to apply investigative resources in order to prevent and control future crimes. Indeed, profiling models can be used for “program planning, budgeting and deployment of resources, evaluating services, measuring the… impact of legislative policy changes, and enhancing accountability through standardization” (Champion, 1994, P.27). Before a criminal profiling model can be designed and utilized, the criminals that it is designed to analyze must be identified. Jonathan Rusch said that “law enforcement… will need to continue devising and applying methods to investigate and prosecute Internet [criminals] faster than criminals can adapt to those methods” (Rusch, 2002). The question remains, however, just how can legislative controls or an investigative paradigm prevent computer crime if legislators and investigators do not understand where computer criminals come from or how they operate? If security professionals are unable to accurately identify the threats they face, how can they protect against harm? Is it possible to adopt criminal profiling in the prevention and control of computer crime? Donn Parker (1998) developed the S.K.R.A.M. model to assess potential threats posed by computer criminals. “Overall, the greatest potential threats to our information systems comes from those individuals or groups… that posses the skills, knowledge, resources, authority, and motivation to abuse or misuse information” (Parker, 16). Hence, by understanding the skills, knowledge, resources, authority, and motivation of a suspect, we are provided with a framework for profiling his or her ability to commit a computer or computer-related crime. Parker’s research provides a baseline for understanding what type of person is potentially dangerous based on identifying their motive, opportunity, and means. Is there a way to operationally apply SKRAM to threat assessments, and quantify risk analysis of computer-related crime?
3
Breaking Down the SKRAM Model
In order to answer this question, it is first necessary to understand the individual components of the SKRAM model. Parker reveals that the SKRAM model is a summation of a suspect’s alleged skill, knowledge, resources, authority, and motivation (Parker, 1998, 136 – 138).
Skills: The first component of the SKRAM model, skills relates to a suspect’s proficiency with computers and technology. To determine the level of a suspect’s proficiency and skills, an investigator can start by examining that suspect’s work experience. Typically, those who are proficient with computers commit computer crimes. Technical training in networking, hardware, software packages, operating systems, security systems, software development, data basing, and systems administration are all key areas that should be examined by an investigator. Knowledge: At first glance knowledge seems to closely resemble skills. Unlike skills, however, knowledge is a more general measure of specific data acquired by a suspect that is critical for accomplishing the computer crime attack in question. Knowledge includes a suspect’s ability to plan and predict the actions his or her victims, his or her target’s computing infrastructure, and a firm knowledge of what they are after. Investigators should try to identify who has the infrastructure specific knowledge to carry out the computer crime being investigated. Resources: A skilled and knowledgeable suspect might not be able to commit a crime if they do not posses the required resources. Resources include both the physical components as well as the
4
contacts a suspect has at their disposal. When examining a suspect’s resources, investigators should not overlook a suspect’s business partners, club members, and network of friends if they can be identified.
Authority: Authority is a measure of a suspect’s access and control over information required to commit a crime. A suspect might be the primary administrator over vital information such as password files and therefore have an easy time committing a crime using that information. Investigators must determine a suspect’s relationship to the data needed to accomplish a computer crime.
Motive: All the technical skills in the world might not be enough to indicate that a particular suspect committed a computer crime. Independent of technical skill and knowledge, motivation is perhaps the most important overall criteria to evaluate. Possible motives could include emotional, social, political, or economic gains. Highly motivated criminals might be able to convince other more technically adept criminals to help them carry out a crime. It has been suggested that investigators look for abnormalities including: “Excessive absenteeism or unwarranted overtime, persistent late arrival for work, sudden low-quality and low-production output, complaints, [and] putting off vacation” (Duyn, p. 102).
Data Gathering and Methodology
To date there is no known working model for quantifying a person’s potential threat based on their skill set and motivation to commit crime. However, Parker’s model establishes a
5
foundation of attributes and qualities that can potentially be examined through profiling techniques, and thereafter be compared between suspects. To test this hypothesis the author retrospectively applied SKRAM to an adjudicated computer crime case. This is an appropriate research methodology because case studies have been used to analyze historical events, people, institutional policies, and social environments inclusive of criminal behaviors. (Bryman, 48). Case studies are valuable for testing the validity of a hypothesis and developing models (Bryman, 49). In the case of a quantified risk assessment tool, the case study will help determine the accuracy and validity of its ability to predict dangerous threats. Applying a quantified risk assessment model to adjudicated cases will provide information about the model’s retrospective utilization as a diagnostic tool, and provide insight on further research into its potential utilization for threat prediction. To quantify the skills, knowledge, resources, authority, and motivation of a suspect, the case was analyzed for information about the suspect’s demonstrated level in each of these areas. For example, if a suspect in the case worked with programming languages and database programs that were used or affected during the incident, they would be assigned points for possessing skill criteria needed to accomplish the crime. Similarly with motivation, if the suspect had grievance with the company or direct potential to profit from the attack, points will be assigned. This will objectively determine if the suspect had the technical ability to accomplish the crime and had the necessary opportunity to accomplish the attack, as well as determine how intensely motivated they were. The basic SKRAM criteria were expanded into 16 specific risk assessment criteria. Criteria 1 through 3 directly assess a suspect’s demonstrated skill set of the technologies used to accomplish the computer crime being investigated. Criteria 4 through 6 deal with the suspect’s
6
knowledge of the infrastructure compromised or utilized during the attack. Criteria 7 through 11 assess the suspect’s authority and access to the systems and information involved in the crime. Criteria 12 through 16 identify the suspect’s potential motives to commit the computer crime. To avoid a dilemma of arbitrarily assigning values that could skew the results of a suspect’s SKRAM level, points were assigned on a 1 or 0 basis according to behavioral evidence deduced from the analysis of the case study records. Only the criteria that match both the method of the crime and the suspect’s skill set were evaluated. Collectively, these criteria form an investigative baseline for evaluating a suspect’s potential for committing a given computer crime. Table 1 shows the risk assessment criteria with their corresponding point values.
Number 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Table 1: SKRAM-Based Risk Assessment Criteria
Points Awarded
Suspect uses the skill(s) needed for the attack 1 point per skill used Suspect demonstrates advanced knowledge of the skill(s) needed for the attack 1 point per expertise identified Suspect has formal education in the technologies or methods used in the attack 1 point per technology Suspect has knowledge of the affected system infrastructure(s) 1 point if yes Suspect works with the affected system(s) regularly 1 point if yes Suspect is familiar with the operating system/environment of affected system(s) 1 point if yes Suspect has direct access to the affected system(s) 1 point if yes Suspect has direct access to programs needed for the attack 1 point per program match Suspect has managerial role over those who could perform attack 1 point if yes Suspect knows/has the permissions/security access needed to perform attack 1 point if yes Suspect has knowledge of the affected system(s) networking environment 1 point if yes Suspect has identifiable monetary benefit(s) from attack 1 point per match Suspect has identifiable grievance(s) with the owner(s) of the targeted system(s) 1 point per match Suspect shows no concern/grievance with loss incurred from attack 1 point if yes Suspect has plans for leaving the company/institution of the targeted system(s) 1 point if yes Suspect has had previous behavioral problems/policy violations 1 point if yes Total Points
The SKRAM based risk assessment model has a base of 16 separate point categories. A suspect can acquire more than 16 points by having multiple motivations or being technically skilled in more than one relevant area. A low overall SKRAM assessment would fall between
7
within the range of 0 to 5 points. A medium-risk suspect would have a risk assessment value somewhere between the ranges of 6 to 11 points. A high-risk individual would have a risk assessment value somewhere between the ranges of 12 or more points.
Examining an Adjudicated Case Study In order to test the threat assessment model’s ability to predict and measure computer crime, an adjudicated case study of a computer crime incident was requested from the Monroe Count Sheriff’s Departmental Computer Crime Unit. Although substantial information was redacted from the record, the essential facts of the case are as follows: A suspect accessed computer materials on a network terminal that was sensitive and confidential in nature. Discovering vulnerability in the network, the suspect gathered sensitive data in order to scare the administration of the network into hiring him as a computer security technician. The suspect sent a threatening note to the administration demanding to be hired or he would make his findings public and notify the other patrons of the company. Being concerned by the suspect’s attitude and threats, the company agreed to meet with him. During their meeting the suspect showed the company how he was able to gain unauthorized access to the materials. He again threatened to tell other patrons that he had their sensitive and confidential information unless he was hired for a position at the company. A representative of the company informed the police about the unauthorized acquisition of classified data and the extortion plot. The company’s administration stated that they knew the suspect was a regular user of the computer network with direct access to the machines used in the attack. Having acquired the facts of the computer crime incident, the threat assessment model was applied to the case to determine the suspect’s potential threat risk albeit retrospectively. The
8
case evidence shows that the suspect used the skills needed for the attack by demonstrating his method of breaking into the network to the administrators. The case did not mention what skills were needed for the attack however, nor did the records supply sufficient information to determine the suspect’s formal educational record or expertise in the skills used for the attack. The case records did not specify the number of skills used in the attack, so the suspect was only assigned 1 point for criteria # 1 on Table 2. Because no information on education and technical expertise could be identified, no points were assigned to criteria # 2 and # 3 on Table 2. The suspect showed knowledge of the networking infrastructure of the affected systems and was awarded a point for that criteria # 4. The administrator of the network, in his deposition to the police, fingered the suspect to be a regular user of the computer systems. This means the suspect worked with the systems directly on a regular basis, and was awarded a point for criteria # 5 and # 7. The suspect was assigned 1 point for criteria #6 because he used the computer systems often, and had a strong understanding of the environment and operating systems used. Police records did not provide information about the programs used in the attack however, so he was not assigned a point for criteria # 8. The suspect was not in a position over authority or managerial control over others who had influence to the system, and therefore was not awarded a point for criteria # 9. The suspect did show knowledge of the security and permission structures needed to access the confidential files, as well as knowledge of the affected system’s network environment. A point therefore, was awarded to criteria # 10 and # 11. The case study provided an important clue to the suspect’s monetary motivation. The evidence documented in the case report mentioned a grievance between the suspect and the administration because the suspect was not hired as a security professional. This evidence shows that the suspect had a clearly identifiable
9
monetary benefit for committing the attack. Because of this, the suspect was assigned a point to criteria # 12 and # 13. By threatening the administration with going public about the security holes, the suspect showed that he had no concern for the actual loss the company would endure from his going public and was assigned 1 point for criteria # 14. The case study did not mention previous behavioral problems of the suspect or any plans of leaving his current place of employment so no points were assigned to criteria # 15 and # 16. Table 2 shows the summation of the suspect’s SKRAM as determined by careful review of the case study.
Number
Table 2: Criteria (SKRAM)
Points Awarded
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Suspect uses the skill(s) needed for the attack Suspect demonstrates advanced knowledge of the skill(s) needed for the attack Suspect has formal education in the technologies or methods used in the attack Suspect has knowledge of the affected system infrastructure(s) Suspect works with the affected system(s) regularly Suspect is familiar with the operating system/environment of affected system(s) Suspect has direct access to the affected system(s) Suspect has direct access to programs needed for the attack Suspect has managerial role over those who could perform attack Suspect knows/has the permissions/security access needed to perform attack Suspect has knowledge of the affected system(s) networking environment Suspect has identifiable monetary benefit(s) from attack Suspect has identifiable grievance(s) with the owner(s) of the targeted system(s) Suspect shows no concern/grievance with loss incurred from attack Suspect has plans for leaving the company/institution of the targeted system(s) Suspect has had previous behavioral problems/policy violations
1 0 0 1 1 1 1 0 0 1 1 1 1 1 0 0
Total Points
10
The suspect scored 10 points out of the base 16 points. Note that some of the skills such as “Suspect uses the skill(s) needed for the attack” can award multiple points. In this scenario, the case study did not provide detailed information about the programs used in the attack, other than acknowledging that the suspect had the skills required to perform the attack. Some of the criteria such as formal education and advanced knowledge might have applied to the suspect
10
also, but could not be determined from the evidence available from the case study. This means that the suspect could potentially have a higher score than is noted. Nonetheless, the suspect scored points in a majority of the SKRAM elements and overall could be regarded as a “medium” risk suspect before, during, or after an investigation. When applying the SKRAM model retrospectively to adjudicated cases of computer crime incidents, the results can only be as accurate as the evidence contained in the police reports. If the SKRAM model is to be a successful preventative profiling tool, then investigations into a suspect’s threat risk must include information about the suspect’s education and known past behaviors. Because gathering information about a suspect’s behaviors, educational experience, and motivations requires considerable effort and expense in most instances, the expanded SKRAM model here will be more effective at determining insider threats. Outsider threats that cannot be identified and analyzed readily from employment records and other similar records will not yield a detailed or accurate threat assessment.
Conclusions and Recommendations for Further Research The SKRAM model provides the necessary framework to support a quantified threat assessment model. It should be noted however, that the expanded model above does not attempt to give weight or independently validate the individual criterion. This research serves as an initial attempt to turn the SKRAM model into a functional threat assessment tool. The suspect in the case study met the majority of the SKRAM criteria, and could have potentially scored higher if more detailed facts about the suspect’s behaviors were available. An important implication of this research is the need for better record keeping and background investigations into computer crime incidents and suspects by investigators and employers. This would provide the data needed
11
to support research and thereby enhance understanding of computer crime attacks and attackers. On the other hand, investigators collect sufficient facts for their own purposes and cannot be expected to systematically support research directly for the sake of doing so. Yet again, a functional threat assessment model that could identify potential threat risks can only be as accurate as the information investigators gather about their suspects and employees. To better understand the accuracy and utility of the expanded SKRAM model as a threat diagnostic tool, more research should be conducted against documented cases of computer crime incidents. Further research should investigate the utility of the SKRAM model as both a retrospective analysis tool and as a profiling tool for identifying threats inside an organization. By examining more cases, the criteria used in the SKRAM model could be finer tuned and amended to. This research would provide more concrete data on the accuracy of the model. Research should address the utility of the SKRAM model as it is applied to insider threats compared to outsider threats. The model could be applied to current investigations of computer crime incidents by identifying the suspects who score high. Identifying high-risk individuals serves as a way to better allocate time and resources during investigations among multiple suspects. According to Jay Bloombecker (1986), there are several strategies for securing information including: Computer-based security, physical access, management techniques and practices, legal controls & deterrents, and ethical norms. Further research could finely tune the extended SKRAM model’s quantification of each of these areas. According to the computer crime and criminal justice resource manual (1979) the results of an analysis of employees based on skills and knowledge would be different for each organization due to differing controls and policies. Additional research that compares an employee’s potential to commit a crime in various
12
security environments could be used to determine which collection of controls is the most effective deterrent of computer crime.
13
References
Bequai, August. Computer Crime. Lexington, Massachusetts: Lexington Books,1978. Bloombecker, Jay, ed.Computer Crime, Computer Security, Computer Ethics. National Center for Computer Crime Data, 1986. Champion, Dean J. Measuring Offender Risk. A Criminal Justice Sourcebook. Westport, Connecticut: Greenwood Press, 1994. Duyn, J. Van. The Human Factor in Computer Crime. Princeton, New Jersey: Petrocelli Books: 1985. McKnight, Gerald. Computer Crime. Walker Publishing Company , USA. 1974. McQuade, Sam. Towards a Theory of Technology-enabled Crime. George Mason University: 1998. Mendell, Ronald L. Investigating Computer Crime. A Primer for Security Managers. Springfield, Illinois: Charles C Thomas,1998. National Criminal Justice Information and Statistics Service, U.S. Department of Justice. Computer Crime: A Criminal Justice Resource Manual. SRI International, 1979. Parker, Donn. Fighting Computer Crime. A New Framework for Protecting Information. New York, New York: John Wiley & Sons, 1998. Rusch, Jonathan. The Rising Tide of Internet Fraud. 3 April, 2002. <http://www.cybercrime.gov/usamay2001_1.htm> Sam McQuade, Professor of Computer Crime, Rochester Institute of Technology, class lecture on personnel communication, Personnel Communication, Rochester, New York, March 2002. Sterling, Bruce. The Hacker Crackdown. Law and Disorder on the Electronic Frontier. New York, New York: Bantham Books, 1992. Van Tassel, Dennis. Computer Security Management. Englewood Cliffs, New Jersey: Prentice-Hall, INC, 1972.
14