ebusiness trust inhibitors
TRANSCRIPT
-
7/29/2019 eBusiness Trust Inhibitors
1/7
Information assurance experts, standards bodies and
economists have long been striving to highlight the impact
and risks associated with the lack of secure information
systems and practices in the industry. Currently, the state of
assurance offered by enterprise computing infrastructure and the
challenges in improving it affect not just the commercial business,
but also national security and individuals identities, as more
classes of systems are becoming web-enabled. When citizens
private information is lost, the inherent delay in the detection of
the breach and the remediation compounds the problem. A classic
example is the infamous Hotels.coms web site breach, which was
discovered in 2006 but had taken place during 2002-2004.
1
This isjust one of countless reported incidents.
Undoubtedly, such incidents result in a trust gap in the
e-business community toward information systems. Reports
also confirm that online banking is not keeping pace with the
growth of Internet use.2 The term trust inhibitors is used in
this article to identify some of the most predominant threats
prevalent today and analyze possible countermeasures.
Major Threats and TargetsCyber Security Industry Alliance (CSIA), an advocacy
group dedicated to ensuring the privacy, reliability and integrity
of information systems,3 created the Digital Confidence Index
(DCI) as a means for tracking public confidence in keyelements of various networks. The relative movement of the
DCI over recent years indicates that the market is very sensitive
to security breaches and, as a consequence, consumers degree
of trust toward information systems fades. A recent report from
an independent survey groupInfoSentry Services Inc.has
corroborated this observation.4 Figure 1 lists recent industry
surveys. These surveys cover global audiences, cross-sections
of industries and various revenue groups and, thus, reflect the
global trend. The objective here is not to offer a comprehensive
listing, but to provide the reader the necessary information to
understand the degree of impact and scale.
The surveys also reveal that outside threats are primarily
from viruses, spam, phishing and other malicious agents, and
result largely in identity theft and customer data loss. Similarly,
insiders influence intellectual property theft and exposure of a
companys sensitive information. Almost all of these surveys
conclude that there is a steady growth in threats across the globe
that directly weakens economies, national security and privacy.
Thus, the promises of advancement resulting from e-commerce
to global business growth are challenged not by the hacker
community alone, but also by the flaws in underlying
technology and current e-business practices.
Information Flow Controls
Deeper analysis of the nature of threats revealed in those
industry surveys shows that the e-business communities can
gain better control of the threats and improve customer
confidence if the problem is analyzed in the following way
and addressed appropriately:
What are the mechanisms the e-business portals have in
place to bring the customers to their portal without
becoming the victim of threats such as phishing?
What are the controls the business has in place to ensure that
the user can complete an initiated e-transaction successfully
without the session being hijacked or spoofed in the middleof an ongoing transaction?
If the above two potential issues are addressed,
subsequently:
What infrastructure controls does the organization have in
place to guarantee customers their privacy?
Does the organization have practices in place that assure
users that their personal data are removed at their request
from the organizations control?
Outsider Attacks
The sophistication of attacks that originate outside the
corporate boundary has been increasing over the years, as has
the sophistication of security controls. Julia Allen5 haselegantly represented the trend, which is reproduced here in
figure 2. In the early 1990s, attacks such as traffic-sniffing
and session hijacking were the predominant threats. In recent
years, however, the threat sources, their nature and
sophistication have changed considerably. Today, Trojans,
worms and blended viruses are the major threats; these, along
with new modes of spreading (e.g., instant messaging [IM],
mobile devices) and social engineering exploitations, have
introduced considerable vulnerability in the e-business user
environment. Phishing combined with pharming has taken
advantage of the situation. The combination of vulnerabilities
E-business: Trust InhibitorsBy Ramanan R. Ramanathan, Ph.D., CISSP
Figure 1Recent Industry Surveys
2006 Australian Computer Crime and Security Survey Enterprise Security Survey, APANI, 2006 2006 Global Security Survey, Deloitte Touche Tohmatsu Consumer Perspectives of Online Banking Security: Entrust Internet
Security Survey, October 2005, Entrust Inc. E-Crime Watch Survey, CSOmagazine, 2006 Phishing Activity Trends Report,Anti-Phishing Working Group, 2006,
www.antiphishing.org US Survey: Confidential Data at Risk, Ponemon Institute LLC, 2006 Utility IT Executives Expect Breach of Critical SCADA Systems,
Pipeline & Gas Journal, 2006, www.pipelineandgasjournal.com
Copyright 2008 ISACA. All rights reserved. www.isaca.org.
JO U R N A L ON L I N E
-
7/29/2019 eBusiness Trust Inhibitors
2/7
exploited in phishing-based attacks make them very
successful and, hence, deserve a deeper analysis.
Phishing is a semantic attack, wherein a successful
attack depends on a discrepancy between the ways a user
perceives a communication, such as an e-mail message
or a web page access, and the communications actual effect.6
Mass e-mailing (spam) is one of the ways this attack spreads.
Figure 3 schematically shows a typical business user-to-
portal communication path in a phishing attack. A user
(Alice) who is the recipient of a fraudulent e-mail initiates a
request and arrives at an unintended portal, as the fake site
has a near-identical look and feel as a legitimate site.
Complexity in the Internet model and sophisticated social-
engineering tactics deceive even more security-wary
customers. This form of threat has two independent entrychannels: social engineering and technology vulnerability.
Attackers keep up their success level by constantly shifting
their attack channel. For example, a legitimate user can be
redirected to a hackers site by vulnerabilities such as Domain
Name System (DNS) cache poisoning and URL obfuscation.
On the other hand, if a user is successful in connecting to the
intended site via end-to-end secured channels, such as Secure
Sockets Layer (SSL), Trojans or a virus in an infected
computer at the client side, he/she can obtain the
authentication credentials, either actively (online) or passively
(offline), and make them available to the hacker for
impersonation. Usually the phishing sites are shut down once
they are detected; however, as of 2005, the attack lifetime
(time from an attacks appearance to its shutdown) has been
estimated to be 5.3 days or 127 hours.7
The major hurdles to achieving a near-zero lifetime are the
lack of cross-border cyberlaws and the use of hacked servers
as origins of phishing. According to an Internet survey report
taken for the span of 1995-2005, Internet usage has been
growing at a rate of more than 180 percent globally.8 Less-
advanced countries increasingly are becoming users of the
information highway. With increased reliance on e-financial
transactions across the globe and growing participation from
countries that lack appropriate cyberlaws, one can anticipate
severe impacts in the coming years. Reports reveal that there
is a 5 percent success rate due to the new phishing attacktactics, despite various countermeasures.9
Recommendations from the US Federal Trade Commission
(FTC) about use of SSL have not proven effective in
thwarting these attacks. In an unpatched Internet Explorer
(IE) browser, a usage similar to https://www.paypal.com%01
[string of ~ 60 %01 elided]@ 207.172.183.20/f/can still
take a user to a phishing site.
Stronger conventional authentication mechanisms, such as a
one-time password and two-factor authentication implemented
by secure e-sites, are also not spared. Customers of Citibank
were recent victims of two-factor authentication, too.10
Figure 2External Attack Trend
JO U R N A L ON L I N E2
-
7/29/2019 eBusiness Trust Inhibitors
3/7
This threat will continue to be a major trust inhibitor in the
e-commerce space unless the market moves toward more end-to-end secure and robust e-business practices. Research
efforts have shown that measures such as digitally signing
e-mails, forcing browser toolbar usage at desk-top levels and
securing the path for capturing user credentials as part of the
authentication process itself, could improve resistance against
such attacks.11 The security state at which an e-user
transaction is carried out should be dependent on both the
client environment and the nature or value of the transaction
itself. Methods such as out-of-band verification (confirmation
via SMS, automated phone message, etc.) and intermittent but
limited reauthentications can prevent fraudulent transactions
and enable faster detection of breaches.
Insider Threats
Assuming that the e-business owners have taken the
required steps to guarantee a legitimate user with mechanisms
to initiate, establish and preserve a secure communication
with the intended business portal, the subsequent major
challenge rests with the business owners who own the
customer information. As of today, not all businesses can
guarantee confidentiality and privacy of customer data,
especially small and medium enterprises (SMEs), as most do
not have appropriate processes in place within their corporate
boundaries. On the other hand, in attempts to comply with
various regulations, large organizations have bolstered theirnetwork and infrastructure considerably; they have
implemented layered security to some degree. However, in the
face of new user-friendly technologies, such as Bluetooth-
enabled and mobile devices for communication (e.g., personal
digital assistants), storage devices (e.g., USB, flash drives),
and modes of communication such as instant messaging (IM),
even these large enterprises face challenges.
Various potential data leak channels have started
appearing. They are discussed in the following sections.
Mobile Devices
Figure 4presents a logical view of the security posture
attained by most enterprises as a result of conventional securitypractices. As part of the layered security approach, mature
organizations deploy physical, technical (e.g., firewalls,
intrusion systems, middleware security controls) and other
administrative controls (e.g., policies, procedures). However,
new channels of data flowing in and out of enterprises have
made the enterprises porous and vulnerable; mobile devices
such as laptops, MP3 players, iPods, USB drives and Bluetooth
devices on personal computers are not adequately controlled.12
These devices have become carriers of Trojans and malware into
a secured enterprise and contribute to confidential data leaks
JO U R N A L ON L I N E 3
Figure 3Phishing and Pharming Outsider Threats
-
7/29/2019 eBusiness Trust Inhibitors
4/7
out of the corporate boundary. For example, with a USB 2.0
device, data transfer rates can go up to 480 megabits per second.
At these rates, it takes less than five minutes to move up to 60
gigabytes of data. Active Directory Server (ADS)-based group
policies are traditionally implemented across corporate intranets
to enforce security baselines and control employeesWindows
desktop environments. Unfortunately, these are incapable of
controlling the use of end point devices. Furthermore, the user-
friendly plug and play capability in operating systems
facilitates instantaneous use of such devices in any corporate
computer. Security products such as DeviceLock and
SecureWaves Sanctuary are gaining popularity to prevent
unauthorized use of such devices and audit the data flow across
the end points. However, the lack of widespread use of such
controls in the e-business intranet boundary is still a majorconcern that will contribute to e-user distrust.
A recent survey of more than 240 respondents shows that
only 9 percent of enterprises have deployed a comprehensive
security architecture that includes mobile device access.13
Kaspersky Lab (usa.kaspersky.com) has done extensive
analysis on the mobile device vulnerabilities and threats, and
a listing of various mobile device viruses is available from
viruslist.com.
Organizations need to evolve security policies that cover
end point device use and implement security controls to
prevent data leakage through this channel.
Enterprise Digital Rights Management
Organizations store company and customer data in
repositories such as directory servers, legacy systems and
other relational data systems. Various breeds of applications
are used to mine the data and derive value from them for
business needs (figure 4).
As a starting point of a due-diligence information security
exercise, data classification is performed within organizations.
Security policies are evolved to outline how data need to be
handled by the users. Corporate users are provided access to
data assets, based on the access control policies.
However, the control ceases when most of the confidential
data in the intranet domain is translated into documents and
spreadsheets for business purposes. A legitimate user of
confidential data can store the data locally in the hard drive ormobile device, or trigger the risk of instantaneously sharing
the same with someone unknown via an IM application.
As of today, no widespread technical mechanism is in
place within the industry to prevent any intentional or
inadvertent sharing or copying of such data or documents.
Frameworks such as enterprise rights management (ERM) or
information rights management (IRM) offer promise to raise
the security barrier on this vulnerable channel.
With ERM capability, enterprises have the potential to tie
the security to the information itself, wherever it travels.14
JO U R N A L ON L I N E4
Figure 4Enterprise Data Flow Channels (Logical View)
-
7/29/2019 eBusiness Trust Inhibitors
5/7
Surveys show that IP and confidential data theft amounts
to millions of US dollars globally; yet enterprises seem to
have left this channel porous. With the increased use of
remote access to corporate networks (via mobile devices and
corporate laptops), the data are subject to new exposure
scenarios that enable a hacker to gain access to corporate data
in home PCs more easily. Survey results show that nearly80 percent of home computer users do not have appropriate
forms of security solutions in their PCs.15 Thus, unless
enterprises tie security to data by some form of data life cycle
management mechanisms or frameworks, such as ERM, this
channel will continue to inhibit user confidence.
Instant Messaging
Surveys show that there is tremendous growth in IM use
over recent years. A recent AOL survey revealed that
70 percent of Internet users use IM forms of communication;
49 percent use it for major business decisions and 26 percent
use it to transfer f iles in the workplace.16 This means that
sensitive corporate or personal data are potentially transmittedthrough untrusted third-party servers. Surveys have indicated
this as a major evolving threat.
The reasons for this emerging challenge are very obvious:
the IM architecture is insecure by design and has not changed
over the years. IM applications are still vulnerable to attacks
such as buffer overflow and denial-of-service.17 The closed
and proprietary nature of the protocols makes it difficult for
enterprises to tackle this threat by traditional technical
controls at the corporate perimeter level. For a hacker,
spreading the attack via IM does not require scanning
unknown IP addresses; it is as simple as choosing the target
from an updated directory of any IM user.
To thwart these threats, enterprises need to implement
comprehensive security suites consisting of perimeter- and
protocol-aware, signature-based filtering tools (such as
solutions from IMLogic, Websense and SurfControl).
However, surveys indicate such adoptions are in their infancy.
Thus, this remains another potential source of threat, whichbusinesses will continue to deal with in sustaining
e-user confidence.
Personal Data Collection
Privacy concerns remain another major impediment (trust
inhibitor) for current e-business growth. Sixty-four percent of
consumers say they decided not to buy a companys product
or service because they did not know how the company would
use their personal information.18
Enterprises collect user information for a variety of
reasons, such as improving the e-user experience to expedite
e-transactions. Privacy policies on how the user data are
handled are generally stated on the companys web site;however, with increased reports on breaches through the
channels discussed in this paper, the privacy statements and
disclosures do not offer the required confidence to the users.
Search engines collect and store records of a users search
queries. This carries huge potential of revealing a users
personal history. For example, in August 2006, AOL published
650,000 users search histories on its web site.19
In the absence of appropriate government regulation, if
search companies (business owners) proactively limit their
data retention and make the logging practices more
transparent to the public, trust could be regained. Also, in the
JO U R N A L ON L I N E 5
Data
Storag
e
Communic
ation
Devic
es
Storag
eP
oint
Acce
ssand
De
livery
Points
ERM
Data in rest:
Database, legacysystems, LDAP, etc.
Controls:
Access
controls, TPM,encryption, audit
controls
Data in rest & motion:
PCs, laptop, PDAs,palm pilots, mobilephones
Controls:
ERM, TPM, end-pointsecurity devices, accesscontrols
Data in rest and motion:
WebServer, e-mail server,printer, scanner
Controls:ERM, TPM, dataExpiration
Data in rest:
USBs, flash drive,tapes, etc.
Controls:
Crypt, control
s,tamper-resistant
hardware.
Data in motion:
Router, switches,bridges wireless accesspoints
Controls:IPv6, SSL, encryptiontechnologies
Figure 5Enterprise Data States (Rest and Motion and Required Controls
-
7/29/2019 eBusiness Trust Inhibitors
6/7
case of online transactions, confidence can be enhanced if
companies resort to more trustworthy online practices. For
instance, as of now there is no notion of credential
expiration offered by e-business portals, as noted by security
expert Bruce Schneier.20 Even for a one-time transaction,
many portals demand personal information from consumers,
and users are not provided with the opportunity to opt out if
they choose to terminate their association with the business at
any later point.
Better e-business practices need to be adopted by businessproviders to promote e-user confidence.
Data Are the KeyIt is clear that various challenges faced in securing data are
caused by the way the security is associated with data in their
various states. In the current computing model, data (as
chunks of bits and bytes) and their security are viewed and
related independently. An enterprise system is as secure as its
weakest link. Similarly, in an enterprise, data are as secure as
their weakest state in their life cycle. Figure 5 shows that data
in an organization can reside in a relational database or legacy
system, can be transmitted by wired or wireless media, can bemade accessible via web server or e-mail systems, can be
distributed as documents or spreadsheet, and finally can be
persisted/maintained in any kind of storage devices. The state
of data fundamentally is either at rest or in motion. The
combination of technologies used could vary based on an
enterprises security posture and maturity.
However, the critical data-and-security link must be
preserved. Irrespective of the state and nature of technologies
in use, if data owners can guarantee and get assurance that the
security level of data is not compromised by their state, there
is a tremendous potential for e-business growth. The risks
surrounding personal computers or laptops and mobile
devices, as data access and data storage points, can bemitigated by use of hardware-based security technologies,
such as Trusted Platform Module (TPM) and IBMs
SecureBlue.21 These technologies allow the information to be
bound to the platform by cryptographic means and help to
thwart threats triggered by rootkits and Trojans. The data
secured with these technologies cannot be accessed if data
migrate (copied) to different platform or binding conditions
on the same platform are not met. Vendors such as Dell, IBM,
HP, Sony and Intel Inc. have already started providing this
capability to their PCs and laptops; however, the TPM is
generally not activated. Enterprises, especially financial
sectors and government agencies, can offer more secure
operating conditions against the threats highlighted in thisarticle if systems are forced to activate these features across
the organizations.
ConclusionIn the existing computing and e-business models, the data-
and-security link strongly depends on data state. Since this
link is vulnerable, no business owner can guarantee
impregnable security; users cannot expect bulletproof safety if
they continue to adopt new technologies on the fly.
Implementing technologies (such as ERM), hardware-based
security and improved e-practices (such as context and client
environment-centric authentication, transaction verification
mechanisms, and credential expiration capabilities) at the
enterprise level can help business owners and users to build
confidence in the system.
Considering the benefits of e-business, every legitimate
beneficiary has an equal stake in improving trust in the systems.
Endnotes1 Koernerm, Brian; Hotels.com breach,About.com, 2006,
http://idtheft.about.com/od/2006/p/Hotels_com.htm2 Entrust, European Internet Security Survey, June 2005,
www.entrust.com/resources/download.cfm/22193/European
%20Internet%20Security%20Survey%20Overview1.pdf3 CSIA, Internet Security National Survey, no.3, CSIA
report, 2006, https://www.csialliance.org4 Infosentry Services Inc., Americans Confidence Drops in
Information Security Capabilities of Large Corporations
and the Federal Government, January 2007,
www.infosentry.com/InfoSENTRY_NewsRelease_Security-
Attitudes_20070129.htm5
Allen, Julia H; Information Security as an InstitutionalPriority, Carnegie Mellon University, 2005,
www.cert.org/work/organizational_security.html6 Jagatic, T.; N. Johnson; M. Jakobsson; F. Menczer; Social
Phishing, Communications of the ACM, 20067 Rivner, Uri; Dealing With Phishing Attacks, 2006,
www.out-law.com/page-69478 Internet World Stats, World Internet Usage and Population
Statistics, www.internetworldstats.com/stats.htm .9 Op cit., Jagatic
10 Ibid.11 Keizer, Gregg; Phishers Beat Citibanks Two-Factor
Authentication, July 2006, www.banktech.com/news/show
Article.jhtml?articleID=19160000612 Network Endpoint Security News, Endpoint Security
News and Information, www.watchyourend.com/category/
data-theft13 Symantec, Economist Intelligence Unit Survey Report,
The Economist, January 2006, www.symantec.com/content/
en/us/about/media/mobile-security_Full-Report.pdf14 Oltsik, Jon; Enterprise Rights Management: A Superior
Approach to Confidential Data Security, Enterprise
Strategy Group Inc., May 200615 America Online and the National Cyber Security Alliance,
AOL/NCSA Online Safety Study, December 200516 Ibid.17 Rittinghouse, John; James F. Ransome; IM Instant
Messaging Security, Digital Press Inc., USA, 200518 Westinand, Alan F.; Lance J. Hoffman; Security & Privacy
Made Simpler, Better Business Bureau, March 200619 Electronic Frontier Foundation, AOLs Massive Data
Leak, August 2006, www.eff.org/Privacy/AOL20 Schneier, Bruce; Authentication and Expiration,IEEE
Security and Privacy, January-February 200521 Rau, Shauna; Trusted Computing Platform Emerges as
Industries First Comprehensive Approach to IT Security,
IDC, February 2006
JO U R N A L ON L I N E6
-
7/29/2019 eBusiness Trust Inhibitors
7/7
Ramanan R. Ramanathan, Ph.D., CISSP
is an information systems security specialist. He has done
extensive consulting for leading financial and insurance
corporations in the US, in the areas of enterprise security
architecture, Web-SSO, identity management and
infrastructure security. He regularly writes for leading security
journals and magazines. He can be reached at
Information Systems Control Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription tothe Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the ITGovernance Institute and their committees, and from opinions endorsed by authors employers, or the editors of thisJournal. Information Systems Control Journal does not attest to the originality ofauthors' content.
2008 ISACA.All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from theassociation. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articlesowned by ISACA, for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article.Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expresslyprohibited.
www.isaca.org
JO U R N A L ON L I N E 7