Unauthorized Modification of Data and Software

Because LAN users share data and applications, changes to those resources must be controlled. Unauthorized modification of data or software occurs when unauthorized changes (additions, deletions or modifications) are made to a file or program.

When undetected modifications to data are present for long periods of time, the modified data may be spread through the LAN, possibly corrupting databases, spreadsheet calculations, and other various application data. This can damage the integrity of most application information.

When undetected software changes are made, all system software can become suspect, warranting a thorough review (and perhaps reinstallation) of all related software and applications. These unauthorized changes can be made in simple command programs (for example in PC batch files), in utility programs used on multi-user systems, in major application programs, or any other type of software.

They can be made by unauthorized outsiders, as well as those who are authorized to make software changes (although the changes they make are not authorized). These changes can divert information (or copies of the information) to other destinations, corrupt the data as it is processed, or harm the availability of system or LAN services.

PC viruses can be a nuisance to any organization that does not choose to provide LAN users the tools to effectively detect and prevent virus introduction to the LAN. Currently viruses have been limited to corrupting PCs, and generally do not corrupt LAN servers (although viruses can use the LAN to infect PCs). [WACK89] provides guidance on detecting and preventing viruses.

The unauthorized modification of data and software can occur by exploiting the following types of vulnerabilities:

  • Write permission granted to users who only require read permission to access
  • Undetected changes made to software, including the addition of code to create a trojan horse program
  • Lack of a cryptographic checksum on sensitive data
  • Privilege mechanism that allow unnecessary write permission
  • Lack of virus protection and detection tools.